To:
Brad Knowles <brad.knowles@skynet.be>
CC:
Peter Koch <pk@TechFak.Uni-Bielefeld.DE>, DNSOP WG <dnsop@cafax.se>
From:
Ed Warnicke <eaw@cisco.com>
Date:
Wed, 09 Jul 2003 14:13:57 -0400
In-Reply-To:
<a06001235bb3093a03f20@[192.168.0.3]>
Sender:
owner-dnsop@cafax.se
User-Agent:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3.1) Gecko/20030618 Debian/1.3.1-3
Subject:
Re: draft-warnicke-network-dns-resolution-02.txt
Brad Knowles wrote: > At 8:51 AM -0400 2003/07/08, Edward Warnicke wrote: > >> I seem to have miscommunicated. I am in no way suggesting that a >> router >> provide arbitrary "lawful intercept" services for some unknown >> party in some other country. Please see >> http://www.ietf.org/internet-drafts/draft-baker-slem-architecture-01.txt > > > Okay, fair enough. But if you want to get wide availability of > this feature, you have to give people a reason to actively want to > provide this information. True. In the Lawful Intercept application there are legal requirements that the network owner provide wire tapping services ( usually when presented with a warrant, your local laws may vary ). This requirement can be fulfilled in a number of ways, but clearly service providers would like to comply with legal requirements in the least expensive possible way. Many of the mediation devices that provide the intelligence behind doing the tapping will be supplied by third party vendors. If these third party vendors must integrate their mediation devices separately to the OSS system of each service provider to obtain information about the first-hop router(s) this could be quite expensive. If the mediation device vendors can integrate against a particular use of the existing DNS system, this should be much less expensive. If it saves service providers money, they will implement it. If it doesn't they won't. Likewise, if other applications arise, if they are compelling to the parties in a position to implement the draft it will be implemented, otherwise it won't. > > Since many sites may not have fully secured their routers, if they > identify the first hop router for each netblock they own, then there > is the risk that people will make a stronger and more concerted attack > on that router, perhaps trying to subvert or abuse features that may > have been included and turned on by default. > This is a good point, and one that has been brought up before. There are ways of controlling the distribution of RR from a particular edge network if the network owner is concerned. I also mentioned this issue in the Security Considerations section of the draft. Ed #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.