This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/address-policy-wg@ripe.net/
[address-policy-wg] Renumbering sites (Was: Just say *NO* to PI space -- or how to make it lessdestructive)
- Previous message (by thread): [address-policy-wg] Renumbering sites (Was: Just say *NO* to PI space -- or how to make it lessdestructive)
- Next message (by thread): [address-policy-wg] Renumbering sites (Was: Just say *NO* to PI space --or how to make it lessdestructive)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Michael.Dillon at btradianz.com
Michael.Dillon at btradianz.com
Tue Apr 25 16:54:42 CEST 2006
> Why does the laptop store the *addresses* instead of an (FQ)DN? I have no idea. That is the way the IT department sets up things. But given that the VPN is a SECURITY measure, I suspect it has to do with the layers of security philosophy in which you implement many layers. According to this philosophy it is good to use a security layer even if it is not fully effective on its own. A real world example is locks on the doors of a building with glass windows. In this case, the IPv4 address is recorded to circumvent perceived weaknesses with DNS and to eliminate the possibility of man-in-the-middle attacks on the DNS. While some would argue that this is uneccessary since the VPN uses cryptographic security, others would point to SSH v1 vulnerabilities and the fact that RSA keys up to 450 bits have been cracked, to show that there is still a theoretical benefit to extra security layers. In any case, information security basically amounts to making it very complex for an attacker to manage all the contortions needed to break in within the time available to him. I wonder if the security community has put much thought into the kind of contortions which DNS elimination represents. After all, if DNS is used, then an attacker must subvert the DNS server or protocol. If it is not used then the attacker must subvert the IP routing system. Since we know that people are actively subverting routers and the routing system from time to time, I wonder whether the balance has shifted in favour of DNS. Of course, once DNS resolution has been applied, the routing system could still be subverted, but one could argue that round-robin dynamically updated A records could make it harder for the attacker to identify where the routing system needs to be compromised. Indeed, the blackhat community themselves are using this kind of dynamic DNS in order to evade whitehats attacking them. If there were a clearer analysis of these approachs rather than an outright rejection of things like DNS elimination, then I think we might be able to agree on best practices that meet both security needs and the need to keep networks in a maintainable (and renumberable) state. --Michael Dillon
- Previous message (by thread): [address-policy-wg] Renumbering sites (Was: Just say *NO* to PI space -- or how to make it lessdestructive)
- Next message (by thread): [address-policy-wg] Renumbering sites (Was: Just say *NO* to PI space --or how to make it lessdestructive)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]