To:
Bill Woodcock <woody@pch.net>
Cc:
Bill Manning <bmanning@ISI.EDU>, Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>, dnsop@cafax.se
From:
Ben Stern <bstern@electromagnetic.net>
Date:
Fri, 1 Nov 2002 16:19:58 -0500
Content-Disposition:
inline
In-Reply-To:
<Pine.GSO.4.44.0210291139590.22429-100000@paixhost.pch.net>; from woody@pch.net on Tue, Oct 29, 2002 at 11:42:19AM -0800
Sender:
owner-dnsop@cafax.se
User-Agent:
Mutt/1.2.5.1i
Subject:
Re: DoS and anycast
On Tue, Oct 29, 2002 at 11:42:19AM -0800, Bill Woodcock wrote:
> On Tue, 29 Oct 2002, Bill Manning wrote:
> > anycast will not prevent DoS attacks.
> Correct. It will merely sink attacks at the nearest instance. This is
> not particularly useful until there are a _lot_ of instances. For
> instance, if every major carrier ran instances near their customer edges,
> then all attacks would be sunk before they left any of those carriers, or
> before they even affected those carrier's internal backbones. That would
> be ideal, since it would localize the pain in the same locality as the
> fault. However, we're presumably quite a long ways away from being there.
At risk of wandering far off topic, I suspect that were there some attempt
(admittedly requiring a fair amount of effort and administrivia) to provide
liasons between the RSAAC and the major ISPs, it might be overall fairly
easy to set up extra (anycasted) roots at the major ISPs.
I obviously cannot speak for other major ISPs, and am speaking here as an
individual, not as a representative of AS2548, but I do not see anything
obviously stopping various national carriers from anycasting the root, other
than a) lack of obvious contacts at the roots, and b) lack of perceived
authority. [0] [1]
Feel free to correct me if I am missing something that is preventing major
ISPs from volunteering to anycast the roots today.
Ben Stern
[0] In reference to NOTE WELL et al, this is not in any way a statement of
the operations at AS2548, or of the policy or opinions of Allegiance
Internet.
[1] It strikes me as playing dirty pool with the worldwide DNS to anycast
the root zone without explicit permission from the RSAAC, since although
the immediate ramifications are only disruptive to customers, doing so
could lead to a worldwide loss of reputation as "that carrier that stole
a copy of the root zone."
--
Ben Stern UNIX & Networks Monkey bstern@bstern.org
This post doesn't represent AI, even if I claim it does. Neener neener.
UM Linux Users' Group Electromagnetic Networks Microbrew Software
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.