Gentlefolks, I note that Gadi Evron was, until recently, employed by Afilias, the same company as Joe Abley. At present, acccording to another recent NANOG controversy, Mr. Evron. Mr Hankins is also not an independent source, being part of ISC, Joao Damas' (document author) employer.
Also, I do not think that we need to require aristotelian proof. The basis of my objection isn't the lack of aristotelian proof. Rather, it seems reasonable to require _some_ evidence that this is a real problem, especially in light of the contrived and exaggerated nature of the claims; the fact that there are DNS attacks that are easier to conduct; the fact that the alternative attack doesn't risk detection; the fact that the alternative attack is harder to mitigate; as well as the previously discredited source(s) of the claims [See http://www.iadl.org/nanog/nanog-story.html and http://www.iadl.org/maps/maps-story.html] Given that the questioned sources form only a tiny part of even just the North American ISPs, it shouldn't be very hard to find credible sources---that is, if indeed this is a real problem that is widely experienced by internet service providers and that this problem is serious enough to justify the costs of closing open recursors. But so far, We've seen no direct evidence nor any indirect evidence. Anecdotes and personal assurances from a tiny group that has collaborated (properly and improperly) in the past is insufficient to justify the costs of implementing this change. I am also reminded of another point that hasn't been brought up recently: BCP38 provides a complete and general solution for this and other spoofing attacks. Given BCP38, there is really no need for this document. BCP38 should protect many services that could potentially be abused by spoofing, including the legitmate uses of open recursors. The efforts spent on this document (both in writing and in later implementation) would be better applied to promoting and implementing BCP38. I might suggest a poll of ISPs, and if 5000 or so ISPs worldwide agree that open recursors attacks are a current, serious problem that can't be solved by BCP38, then its a problem that should be acted on. However, given past experiences with blacklists (particularly the proponents association with disreputable blacklists), we should take care that the proponents do not unduly solicit or threaten ISPs to obtain agreement. Thanks, --Dean On Fri, 5 Sep 2008, David W. Hankins wrote: > [For brevity, this is intended as a message in support of Joe's > position. I think my original got eaten in the earlier mail > server event announced on ietf@, so apologies for any duplicates.] > > On Tue, Sep 02, 2008 at 03:46:48PM -0400, Joe Abley wrote: > > My point is that there are a large number of distributed denial of > > service attacks happening every day, on a scale large enough to > > involve multiple providers and cross-organisational teams for > > mitigation. > > For informational purposes, I'd like to point out that yesterday on > the NANOG mailing list, it was asserted that DNS Amplification attacks > are being observed by one security worker (Gadi Evron) on a seemingly > daily basis, frustrated by the lack of adoption of BCP 38 (which is > proposed as the root cause). [1] > > > Let me say that it is entirely right to suggest that in this case, if > you are engaged in a dialogue of logical deduction, then in the face > of the claim that something does not exist, the responsibility of > argument is to prove that thing does exist, on the basis that one > cannot reasonably prove non-existence of any physical object (or > event) with Aristotelian tenacity. > > Which is problematic because such a proof (with Aristotelian tenacity) > in this case would require publishing of normally witheld and guarded > data in provably unaltered forms. This may not even be possible. > > This would appear then to be an impasse if the IETF required such > tenacity. > > Fortunately, the IETF works on a basis of consensus among > practicioners, not on a basis of Aristotelian deductive proofs of > draft contents and volunteers' opinions. I'm content to agree with > the other WG participants that DNS Amplification attacks do persist in > the modern day, and that it is useful to write and publish a document > that seeks mitigation. > > I hope that the WG's consensus will be so measured by the chairs. > > > [1] - http://www.merit.edu/mail.archives/nanog/msg11131.html > > -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
