On Tue, Jul 29, 2008 at 11:35:03AM -0500, Justin Cappos wrote: > I was wondering if any changes have been made or are planned for > MirrorManager (i.e. preventing mirrors from arbitrary grabbing parts > of the address space). We're submitting the final version of our > paper soon (the version that will appear in print) and I'd like to > include any updates about this. Yesterday I sent the long list of steps planned or under way. Some of these involve MM, some yum. As for "arbitrary grabbing of address space", I'm open to ideas. Perhaps a /16 is too large for "anyone" to be able to grab - e.g. could should limit the auto-granted size by some amount. However, it doesn't eliminate the concern. If Mallory wants to attack specifically Alice, he only need know the addresses Alice is likely to be coming from and add those in, even one-at-a-time. Restricting to a /16 seemed reasonable to me. A good balance of "big enough to be useful", yet small enough that it can't affect too many people. Larger allocations are available on request, by showing some form of ARIN assignment. Still, one could request such and run a mirror inside that assignment that is still malicious. And I'm not willing to throw out this very useful feature, for fear someone could use it for evil. -- Matt Domsch Linux Technology Strategist, Dell Office of the CTO linux.dell.com & www.dell.com/linux _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
