On Sat, 12 Jul 2003, Robert Elz wrote: > | If you can't trust the guy whose NIQ's you're answering to enough that you > | need to obfuscate the association between RFC3041 and non-RFC3041 > | addresses, you shouldn't be answering those NIQ's at all. > > Pekka, couldn't you say the exact same thing about DNS queries?
Not really.. > The two are just different mechanisms for getting the same information > after all (well, similar information anyway, each has advantages over > the other for different uses). > > I haven't heard anyone claiming that DNS queries should be blocked at > site borders, because you can't trust the big outside world to know > any of that information. .. you don't query DNS information from the nodes themselves. You query it from designated DNS servers. Now, if NIQ mechanism would be made so that the nodes would report their hostname<->address mappings to some site-specific registries, and one would be able to query the data from those registries (applicable to the policy set by the network administrator for such queries), we would be talking about an entirely different thing.. not too far from DNS + dynamic updates (or IETF-specified protocol for standard Looking Glass lookups for certain information about routers, depending on whether you're looking at querying information from hosts or routers.) > But there's absolutely nothing here that mandates that people should be > told that they really should block all NIQ packets, any more than we > would consider telling people that they should block all DNS packets. Blocking them would be very much in line with the intended applicability of NIQs as written down AFAICS. I'd like to implement the stick (blockage) in addition to the carrot (nice words about applicability) in the NIQ specification so that it's not misused. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
