On Wed, Mar 5, 2014 at 5:33 AM, Masato Yamanishi <[email protected]
> wrote:
> Is there anyone who want to continue this proposal?
I read the Transcript, and saw the comment made on the inadvisability of
1.2.3.4/24 being used as a DNS resolver. I am not sure that this concern
is either new enough, or severe enough, to substantially cause the proposal
to be dropped.
To quote the Transcript:
Yoshinobu Matsuzaki (IIJ): Let me clarify
why I oppose to the prop-110, because
it's creating a new security risk. Once
the broadband router is set with default
setting, that DNS reserve the 1.2.3.4, if
there's no DNS server maintained by ISP,
probably it's query to the DNS server in
the Internet, and sometimes it's
maintained by good guy, but sometimes it
could be maintained by bad boy. Right?
I see two scenarios which might lead to to this objection: (Yamanishi-san,
please forward this email to mazz if he is not on this list. I hope I am
not misunderstanding his objections.)
1. Consumer Router manufacturers might start hardcode-ing 1.2.3.4 as the
default DNS resolver, and this may be someone outside the ISP's network. I
appreciate that this may happen, and I have seen similar things happen re:
NTP servers. I do not, however, think this is either going to be likely,
or widespread. At least in S E Asia, I have not seen any Home Routers with
even Google's PDNS hardcoded into them. As such, I do not think D-Link or
Linksys (as an example) is likely to ship devices with 1.2.3.4 as the
default. The support costs for D-Link if this does not work would be
prohibitive.
2. Second, the Home Device could be re-sold, with 1.2.3.4 as the DNS
setup, and the new owner would be unknowingly be using it. I consider this
extremely unlikely to happen accidentally. The new owner would (unless he
had exactly the same ISP and setup) need to review settings, perhaps a
factory default. And if he had the same ISP and setup as the previous
owner, then there would be no additional danger anyway.
As such, I am not saying that a bad network operator could not announce
1.2.3.4, and wait for people to use him. I am saying that this is not an
additional danger, many people already use 8.8.8.8. and 4.4.2.2, for
example, or OpenDNS.
And any person deciding to announce 1.2.3.0/24 to the open network, would
have to face a massive traffic storm anyway. prop-109 by Geoff Huston
mentions the traffic flowing to certain easily-remembered ranges. Assuming
that 1.2.3.0/24 gets even 50Mbps of traffic if I announce it to the
Internet, that is till still an expensive pipe, and probably not worth it
on the off-chance that a random user will use it and allow "evil me" to
redirect him to the particular bank that he is a member of, and which I am
forging a website for.
To summarize, there is no ADDITIONAL danger, and there are some advantages
to this proposal. I would like work on this proposal to continue, and see
if we can address the concerns raised at the APNIC Meeting.
(BTW, I see that AS15169, Google, is still advertising 1.2.3.0/24. This
may be due to the APNIC-YouTube experiment).
--
Sanjeev Gupta
+65 98551208 http://sg.linkedin.com/in/ghane
* sig-policy: APNIC SIG on resource management policy *
_______________________________________________
sig-policy mailing list
[email protected]
http://mailman.apnic.net/mailman/listinfo/sig-policy
