<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [ga] Anycast
- To: Karl Auerbach <karl@xxxxxxxxxxxx>
- Subject: Re: [ga] Anycast
- From: Hugh Dierker <hdierker2204@xxxxxxxxx>
- Date: Wed, 14 Mar 2007 18:03:17 -0700 (PDT)
- Cc: ga <ga@xxxxxxxxxxxxxx>
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=REKsFtpko2MB46ugDckKOwjpYf7kcZToQheadd3yaGKO6ompl4l+b/yRsBvSRpbaXw3OsZ2s48HUhHuYSpioS6M5E+pxESxSsGQck01p6yGZqJv+LlQVFJYrOq2KwWZWeI6CUs/Aws4DpyukrcvxdCBVTEVG5QYqhTcjiQPDax0=;
- In-reply-to: <45F8611C.6000203@cavebear.com>
- Sender: owner-ga@xxxxxxxxxxxxxx
Excellent. Thank you for my schooling. I'll take something for that flu.
Eric
Karl Auerbach <karl@xxxxxxxxxxxx> wrote:
Hugh Dierker wrote:
> first of all thank you.
> Secondly - so was this "attack" probably a man-in-the-middle or a
> blackhole method?
I think you might have caught a mild case of the buzzword flu.
"man-in-the-middle" is method based on getting between a source and a
destination. I build products to do this in a constructive way for protocol
testing. It's not a technique that is used for mass attacks, although it can
be the way that one gets control of a resource.
"blackhole" can pertain to routing or email (or any other kind of traffic) in
which traffic is sent, intentionally or under the control of an attacker, into
never-never land. Again this is not a way of doing an attack to heavily burden
a target.
A lot of attacks these days come from drone armies - zombie/bot machines, often
mom-and-pop windoz boxes, but also sometimes bigger engines under other
operating systems - that are marched about by a bot pharmer and ordered to
direct traffic at something. Considering that the size of these armies is now
in the millions, it can be a national security level of concern.
> Thirdly - Are there other instances of the root server folks doing
> something of such importance without the ICANN goodhouse keeping seal of
> approval.
ICANN has no technical seal of approval. ICANN watches, like the rest of us.
The root server operators are, fortunately, very, very clueful people.
I have long advocated ICANN entering into a binding legal agreement with the
root operators. That agreement would essentially require the root server
operators to keep up the good work they are already doing and foreswear certain
evil kinds of things, like preferential or prejudicial service for or against
any query source or any query question. In return ICANN would make available
financial resources for instant use should a root server operator find itself
in trouble due to natural or human catastrophe.
> And this may be a dumb question but; Is this being implemented along
> with the IPv6 or is it getting bogged down.
IPv6 records already exist in DNS. And there are name servers that have IPv6
addresses.
There are some TLDs (including .com and .biz) that have NS records that
reference names that have IPv6 glue AAAA records.
There is an internet draft out about the issues of the increased size of
response packets that arise because of these records, See:
http://www.ietf.org/internet-drafts/draft-ietf-dnsop-respsize-07.txt
On my lab net I have seen some issues in which some of my machines that have
IPv6 enabled try to talk v6 to external name servers, but end up timing out
(and me waiting) because my lab net has no external V6 connectivity.
--karl--
---------------------------------
TV dinner still cooling?
Check out "Tonight's Picks" on Yahoo! TV.
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|