> On Thu, Oct 26, 2006 at 07:34:11PM +0200,
> Peter Koch <[EMAIL PROTECTED]> wrote
> a message of 28 lines which said:
>
> > "Preventing Use of Recursive Nameservers in Reflector Attacks"
> > draft-ietf-dnsop-reflectors-are-evil-02.txt
>
> I've reviewed it and I approve the document and its intended status.
>
> I have a reservation which may be addressed in -03 by an editorial
> change. The draft repeats many (too many) times that "the only truly
> real solution, the wide-scale deployment of ingress filtering". In
> computer and network security, sentences such as "the only truly real
> solution" are meaningless and should be used only by marketeers. (For
> instance, BCP 38 does not prevent attacks when the attacker and the
> victim are on the same side of the filters, for instance when they are
> customers of the same ISP, and this ISP deploys filtering only at its
> borders.)
Remember the ISP's network borders with their customers
network / hosts. BCP 38 says that it should be applied
at that border.
ISP's should be preventing customers spoofing other
customers. Apart from broadcast media this should not
be impossible.
> I suggest to say instead something like "a better solution, the
> wide-scale deployment of ingress filtering".
>
> .
> dnsop resources:_____________________________________________________
> web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
> mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
