ICANN/GNSO GNSO Email List Archives

[ga]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [ga] Anycast

  • To: Karl Auerbach <karl@xxxxxxxxxxxx>
  • Subject: Re: [ga] Anycast
  • From: Hugh Dierker <hdierker2204@xxxxxxxxx>
  • Date: Wed, 14 Mar 2007 18:03:17 -0700 (PDT)
  • Cc: ga <ga@xxxxxxxxxxxxxx>
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=REKsFtpko2MB46ugDckKOwjpYf7kcZToQheadd3yaGKO6ompl4l+b/yRsBvSRpbaXw3OsZ2s48HUhHuYSpioS6M5E+pxESxSsGQck01p6yGZqJv+LlQVFJYrOq2KwWZWeI6CUs/Aws4DpyukrcvxdCBVTEVG5QYqhTcjiQPDax0=;
  • In-reply-to: <45F8611C.6000203@cavebear.com>
  • Sender: owner-ga@xxxxxxxxxxxxxx

Excellent. Thank you for my schooling. I'll take something for that flu.
   
  Eric

Karl Auerbach <karl@xxxxxxxxxxxx> wrote:
  Hugh Dierker wrote:

> first of all thank you. 
> Secondly - so was this "attack" probably a man-in-the-middle or a 
> blackhole method?

I think you might have caught a mild case of the buzzword flu.

"man-in-the-middle" is method based on getting between a source and a 
destination. I build products to do this in a constructive way for protocol 
testing. It's not a technique that is used for mass attacks, although it can 
be the way that one gets control of a resource.

"blackhole" can pertain to routing or email (or any other kind of traffic) in 
which traffic is sent, intentionally or under the control of an attacker, into 
never-never land. Again this is not a way of doing an attack to heavily burden 
a target.

A lot of attacks these days come from drone armies - zombie/bot machines, often 
mom-and-pop windoz boxes, but also sometimes bigger engines under other 
operating systems - that are marched about by a bot pharmer and ordered to 
direct traffic at something. Considering that the size of these armies is now 
in the millions, it can be a national security level of concern.

> Thirdly - Are there other instances of the root server folks doing 
> something of such importance without the ICANN goodhouse keeping seal of 
> approval.

ICANN has no technical seal of approval. ICANN watches, like the rest of us.

The root server operators are, fortunately, very, very clueful people.

I have long advocated ICANN entering into a binding legal agreement with the 
root operators. That agreement would essentially require the root server 
operators to keep up the good work they are already doing and foreswear certain 
evil kinds of things, like preferential or prejudicial service for or against 
any query source or any query question. In return ICANN would make available 
financial resources for instant use should a root server operator find itself 
in trouble due to natural or human catastrophe.


> And this may be a dumb question but; Is this being implemented along 
> with the IPv6 or is it getting bogged down.

IPv6 records already exist in DNS. And there are name servers that have IPv6 
addresses.

There are some TLDs (including .com and .biz) that have NS records that 
reference names that have IPv6 glue AAAA records.

There is an internet draft out about the issues of the increased size of 
response packets that arise because of these records, See: 
http://www.ietf.org/internet-drafts/draft-ietf-dnsop-respsize-07.txt

On my lab net I have seen some issues in which some of my machines that have 
IPv6 enabled try to talk v6 to external name servers, but end up timing out 
(and me waiting) because my lab net has no external V6 connectivity.

--karl--


 
---------------------------------
TV dinner still cooling?
Check out "Tonight's Picks" on Yahoo! TV.


<<< Chronological Index >>>    <<< Thread Index >>>