Re: DoS and anycast

[Brad Knowles <brad.knowles@skynet.be>]

At 10:38 PM +0859 2002/11/03, Masataka Ohta wrote:

>>  	I don't trust them to do the job right.
>
>  That's why every ISP should run anycast root servers by itself
>  not relying on ones run by adjacent ISPs.

	No.  Not at all.  That is why *NONE* of them should be doing 
anycast root.  None of them are likely to get it right, and the more 
of them doing it, the more risk there is that it will get screwed up. 
Since they would be advertising this accessibility to anyone who 
accepts their route announcements, they could take down large chunks 
of the 'net.

	Under no circumstances whatsoever should Joe Random ISP be 
running anycast root.


	The only people who should be running anycast root are the people 
we know and trust to do the job right, and where we can be reasonably 
sure that the organization will continue to have the necessary skills 
& talents to do the job if/when that person (or group of people) may 
move on.

	Moreover, these people should be the ones that we actively 
solicit to perform this task.

>  You are saying that, even if you securely retreive some address
>  from DNS, you do not trust the networking guys connect you to
>  a host of the address.

	Yup.  Moreover, while I would trust this one guy to do the DNS 
side correctly, I don't know that I'd trust anyone else there to do 
the same.  So, if/when he left, there might not be a good person to 
replace him in this task.

>  Then, there is no point of secure DNS.

	Absolutely not.  I don't know where you get this concept of 
twisting someone's words and then twisting their conclusions to 
support your own half-baked ideas, but you are, yet once again, 
absolutely and completely wrong.

	The point of using a cryptographically secure DNS is that the 
packets could pass through any number of untrusted paths, and the 
data would remain protected.

	At least, we'd be likely to survive any unintentional damage caused.


	If there were an active attack, they might be able to compromise 
your idea of what the keys should be, and do a man-in-the-middle 
attack on all signed data (modifying the data, substituting their 
keys, and then re-signing on the fly), but that would take a fair 
amount of work.

	I imagine the Chinese government could do it, but I don't imagine 
that there are too many other groups out there that could.

>>  	Then there's the issue of current DNS UDP truncation at the
>>  roots.  There's no way this would fit into ~500 bytes:
>
>  Sounds like you never took a look at "anycast".

	Anycast requires that the data fit into a single UDP packet, 
which cannot be more than 512 bytes long.  TCP does not anycast. 
Therefore, given that the DNS requires that we re-query with TCP any 
truncated DNS response, we need to eliminate the source of the 
truncation before we can reasonably expect to anycast the UDP.

>  With UDP without truncation, we can run millions of root servers.

	Sure.  But we do have truncation, so we can't do this.  We have 
to eliminate the truncation first.

	Moreover, we wouldn't want to run millions of root servers 
anyway.  There aren't a million people (or a hundred thousand, or ten 
thousand, or a thousand) people on the 'net that I would trust to run 
an anycast root, and there aren't even that many people I'd trust to 
run the network for an anycast root.

-- 
Brad Knowles, <brad.knowles@skynet.be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
     -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.