To: [EMAIL PROTECTED] Subject: RE: [Full-disclosure] DNS spoofing issue. Thoughts on
I chose my wording to cover not only DNSSEC but possible alternatives that could be devised. Certs are not the only way to do it, but it needs to be installed all over. The BGP fixes were devised after the last meltdown, but question again is whether they are installed. If DNSSEC had been installed, Kaminsky's issue would not exist. Since the number of sites running BGP among themselves is not that huge, it is probably not as practical an attack vector. Last meltdown that happened was said to be solved largely because most of the BGP site operators knew each other well enough to recognize voices on the phone. Net's bigger now tho. The fact that the recent youtube route hijack and the kenya routing insecurity incidents happened suggests that the md5 security is not in fact in place much (needs predefined secrets installed and apparently people don't configure it to do anything). That being the case, a reminder that maybe it could be good to reexamine this seems not totally daft. Glenn Everhart [EMAIL PROTECTED] (posting from home; I am the same one who has posted from work also.) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2008 11:30 AM To: Everhart, Glenn (Card Services) Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [email protected] Subject: Re: [Full-disclosure] DNS spoofing issue. Thoughts on On Sun, 27 Jul 2008 14:07:03 EDT, [EMAIL PROTECTED]<censored>h.a.sx.com said: > The need for something more like ssl certs in there remains It's called DNSSEC, which has been out for a decade and more. > (Also needed for bgp I suspect). RFC2385 (TCP MD5 protection for BGP) addresses most of the issues, at least on a peer-to-peer basis, and has been out for a decade. There's a discussion of the issues in RFC5123. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
