On Mar 29, 2010, at 10:16 AM, RL Vaughn wrote:
> On 3/29/10 9:53 AM, [email protected] wrote:
>> http://www.computerworld.com/s/article/9174132/China_s_Great_Firewall_spreads_overseas
>>
>> So was this a DNS or BGP issue? The reporter appears to be confused, or
>> was it the Arbor Networks talking head?
> It was a DNS issue. One host in i-root was providing incorrect answers.
> The reason for those incorrect answers is unknown but the solution was
> to remove the responsible host from the i-root anycast.
Are you certain of this Randy? There are at least two questions:
1) Why was someone in Chile using that server (i.e., the routing bit)
2) Why were the responses they were getting "incorrect"
Regarding the latter, just because a client receives an "incorrect
answer" doesn't necessarily mean it's what the server ("i-root") was
transmitting.
Removing the anycast instance from the i-root cluster means the
ingress path towards i-root was withdraw, so that instance, and anything
on the return path towards the client, are no longer an issue. I think
the latter set of my comments in the article from last week allude to
this (i.e., potential middleboxen manipulation).
That said, I do eagerly await an authoritative postmortem from
the relevant parties. But if you have data that suggests that
"i-root was providing incorrect answers", I suspect folks would
be quite interested in that.
-danny
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
