>>>>> On Fri, 28 Jun 2002 10:31:34 +0300 (EEST),
>>>>> Pekka Savola <[EMAIL PROTECTED]> said:
>> The point, IMO, is that even DNS PTR responses are not reliable enough
>> for access control purposes, as described in
>> draft-ietf-dnsop-inaddr-required-03.txt.
> The draft does not descibe that adequately.
> The only places I see are in:
> 4:
> [...] The use
> of IN-ADDR, sometimes in conjunction with a lookup of the name
> resulting from the PTR record adds no real security, [...]
> and
> 5:
> By recommending applications avoid using IN-ADDR as a security
> mechanism this document points out that this practice, despite its
> use by many applications, is an ineffective form of security.
> Applications should use better mechanisms of authentication.
> I would not call this a "description", I call it FUD.
So the point is whether it is reasonable to rely on PTRs (+name) for
access control, rather than about the usage of node information as a
replacement of PTRs (assuming that PTRs are insecure too). If we can
agree to the sense of the "inaddr-required" draft, the usage of node
information will also be acceptable. Otherwise, the usage of node
information will also be unacceptable.
In my understanding, draft-ietf-dnsop-inaddr-required-03.txt is based
on some consensus in the dnsop group, and it seems to me the IESG also
agrees on this according to a previous message from Thomas. I
basically agree, too. If you think it a FUD, please convince them
(including me) and make an opposite consensus.
JINMEI, Tatuya
Communication Platform Lab.
Corporate R&D Center, Toshiba Corp.
[EMAIL PROTECTED]
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
