To:
Edward Warnicke <eaw@cisco.com>
Cc:
Brad Knowles <brad.knowles@skynet.be>, Peter Koch <pk@TechFak.Uni-Bielefeld.DE>, DNSOP WG <dnsop@cafax.se>
From:
Brad Knowles <brad.knowles@skynet.be>
Date:
Tue, 8 Jul 2003 18:32:58 +0300
In-Reply-To:
<Pine.GSO.4.53.0307080811320.16103@eaw-u5.cisco.com>
Sender:
owner-dnsop@cafax.se
Subject:
Re: draft-warnicke-network-dns-resolution-02.txt
At 8:51 AM -0400 2003/07/08, Edward Warnicke wrote: > I seem to have miscommunicated. I am in no way suggesting that a router > provide arbitrary "lawful intercept" services for some unknown > party in some other country. Please see > http://www.ietf.org/internet-drafts/draft-baker-slem-architecture-01.txt Okay, fair enough. But if you want to get wide availability of this feature, you have to give people a reason to actively want to provide this information. Since many sites may not have fully secured their routers, if they identify the first hop router for each netblock they own, then there is the risk that people will make a stronger and more concerted attack on that router, perhaps trying to subvert or abuse features that may have been included and turned on by default. IMO, this is like revisiting the whole WKS idea all over again. In the early days of the Internet, that was good. But in the modern days where publishing any additional information about your system may result in an increased security exposure, I just can't see something like this being broadly useful or widely adopted. Moreover, I see this opening up whole new cans of worms that I don't think we want to even think about. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++) #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.