North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: request for help w/ ATT and terminology

  • From: Joe Greco
  • Date: Fri Jan 18 23:12:07 2008

> On Thu, 17 Jan 2008 17:35:30 -0500
> Valdis.Kletnieks@xxxxxx wrote:
> > On Thu, 17 Jan 2008 21:29:37 GMT, "Steven M. Bellovin" said:
> > 
> > > You don't always want to rely on the DNS for things like firewalls
> > > and ACLs.  DNS responses can be spoofed, the servers may not be
> > > available, etc.  (For some reason, I'm assuming that DNSsec isn't
> > > being used...)
> > 
> > Been there, done that, plus enough other "stupid DNS tricks" and
> > "stupid /etc/host tricks" to get me a fair supply of stories best
> > told over a pitcher of Guinness down at the Undergroud..
> 
> I prefer nice, hoppy ales to Guiness, but either works for stories..

Heh.

> > *Choosing* to hardcode rather than use DNS is one thing.  *Having* to
> > hardcode because the gear is "too stupid" (as Joe Greco put it) is
> > however "Caveat emptor" no matter how you slice it...
> 
> Mostly.  I could make a strong case that some security gear shouldn't
> let you do the wrong thing.  (OTOH, my preferred interface would do the
> DNS look-up at config time, and ask you to confirm the retrieved
> addresses.)  You can even do that look-up on a protected net in some
> cases.

It's all nice and trivial to generate scenarios that could work, but the
cold, harsh reality of the world is full of scenarios that don't work.

Exempting /etc/resolv.conf (or Windows equiv) from blame could be
considered equally silly, because DHCP certainly allows discovery of
DNS servers ...  yet we already exempted that scenario.  Why not exempt
more difficult scenarios, such as "how do you use DNS to specify a
firewall rule that (currently) allows 123.45.67.0/24".  Your suggested
interface for single addresses is actually fairly reasonable, but is not
comprehensive by a long shot, and still has some serious issues (such as
what happens when the firewall in question is under someone else's
administrative control, the config-time nature of the DNS resolution 
solution means that the use of DNS doesn't actually result in your being
able to get that update installed without their intervention).

It's also worth remembering that hardware manufactured fairly recently
still didn't have DNS lookup capabilities; I think only our newest
generation of APC RPDU's has it, for example, and it doesn't do it for
ACL purposes.  The CPU's in some of these things are tiny, as are the
memories, ROM/flash, etc.  And it's simply unfair to say that equipment
older than N years must be obsolete.

As much as I'd like it to be easy to renumber, I'd say that it's
unreasonable to assume that it is actually trivial to do so.  Further,
the real experiences of those who have had to undergo such an ordeal
should represent some hard-learned wisdom to those working on
autoconfiguration for IPv6; if we don't learn from our v4 problems,
then that's stupid.  (That's primarily why this is worth discussing)

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.