Re: DoS and anycast

[Ted Hardie <Ted.Hardie@nominum.com>]

> > Deploying anycast services (outside the RFC-1930 compliant methods
> > currently in use) lessens the effect of a DoS attack, but at the cost
> > of risking the integrity of the data provided by the service.
> 
> As I pointed it out several times already, anycast root servers
> is the protection from forged route that the risk of getting
> forged data is reduced.

It moves the risk around.  Let's assume that everyone in the world is
allowed to grab a copy of the root zone from one canonical place.
What is to prevent someone injecting a false route to a server
pretending to be the canonical server, thus provisioning a bad copy of
the zone to those listening to the route?

If the scale is "everyone in the world can grab a copy", the answer is
the same protection which currently prevents false routes to the root
servers now: not much.  Basically, ISP clue prevents it (or at least
lessens the impact by correctly diagnosing if/when it happens).  This
isn't enough, as that clue is not always present.  

You *can* get other checks to ameliorate the risks at radically
smaller scales.  But who gets to decide who gets to play, and how do
we set up the initial trust relationships?  And why spend that effort
when the same effort spent on other choices gets us so much more?


> 
> What is the current protection against the forged data?

As above: not much, and not enough.  This is an argument for providing
good data integrity mechanisms, independent of what the distribution
mechanism might be(unicast, anycast, sneakercast).

				regards,
					Ted Hardie





#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.