GNSO Email Archives: [ga]

ICANN/GNSO GNSO Email List Archives

[ga]

<<< Chronological Index >>> <<< Thread Index >>>

Re: [ga] Anycast

To: Hugh Dierker <hdierker2204@xxxxxxxxx>
Subject: Re: [ga] Anycast
From: Karl Auerbach <karl@xxxxxxxxxxxx>
Date: Wed, 14 Mar 2007 13:54:52 -0700
Cc: ga <ga@xxxxxxxxxxxxxx>
In-reply-to: <982558.91648.qm@web52914.mail.yahoo.com>
References: <982558.91648.qm@web52914.mail.yahoo.com>
Sender: owner-ga@xxxxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.10 (X11/20070302)

Hugh Dierker wrote:

first of all thank you. Secondly - so was this "attack" probably a man-in-the-middle or a blackhole method?


I think you might have caught a mild case of the buzzword flu.

"man-in-the-middle" is method based on getting between a source and a destination. I build products to do this in a constructive way for protocol testing. It's not a technique that is used for mass attacks, although it can be the way that one gets control of a resource.

"blackhole" can pertain to routing or email (or any other kind of traffic) in which traffic is sent, intentionally or under the control of an attacker, into never-never land. Again this is not a way of doing an attack to heavily burden a target.

A lot of attacks these days come from drone armies - zombie/bot machines, often mom-and-pop windoz boxes, but also sometimes bigger engines under other operating systems - that are marched about by a bot pharmer and ordered to direct traffic at something. Considering that the size of these armies is now in the millions, it can be a national security level of concern.

Thirdly - Are there other instances of the root server folks doing something of such importance without the ICANN goodhouse keeping seal of approval.


ICANN has no technical seal of approval.  ICANN watches, like the rest of us.

The root server operators are, fortunately, very, very clueful people.

I have long advocated ICANN entering into a binding legal agreement with the root operators. That agreement would essentially require the root server operators to keep up the good work they are already doing and foreswear certain evil kinds of things, like preferential or prejudicial service for or against any query source or any query question. In return ICANN would make available financial resources for instant use should a root server operator find itself in trouble due to natural or human catastrophe.

And this may be a dumb question but; Is this being implemented along with the IPv6 or is it getting bogged down.

IPv6 records already exist in DNS. And there are name servers that have IPv6 addresses.

There are some TLDs (including .com and .biz) that have NS records that reference names that have IPv6 glue AAAA records.

There is an internet draft out about the issues of the increased size of response packets that arise because of these records, See: http://www.ietf.org/internet-drafts/draft-ietf-dnsop-respsize-07.txt

On my lab net I have seen some issues in which some of my machines that have IPv6 enabled try to talk v6 to external name servers, but end up timing out (and me waiting) because my lab net has no external V6 connectivity.

		--karl--

Follow-Ups:
- Re: [ga] Anycast
  - From: Hugh Dierker

References:
- Re: [ga] Anycast
  - From: Hugh Dierker

<<< Chronological Index >>> <<< Thread Index >>>