> From: ietf-bounces@xxxxxxxx [mailto:ietf-bounces@xxxxxxxx] On Behalf Of John Kristoff > On Fri, 15 Jul 2005 11:48:28 -0700 > "Hallam-Baker, Phillip" <pbaker@xxxxxxxxxxxx> wrote: > > > There are certain limitations to the SRV prefix scheme but > these are > > entirely fixable. All we actually need is one new RR to allow one > > level of indirection to be introduced. With that in place it is > > possible to use prefixed SRV records in place of port > assignments and > > prefixed TXT records as a means of expressing protocol > configuration > > information. > > I'm concerned this may usher in DNS SRV message filtering in > addition to protocol port filtering. Why? My post pointed out that use of SRV is essentially neutral with respect to protocol filtering. It makes it easier to filter well behaved protocols, it does not prevent stenographic approaches. The firewalls are having to become more complex to respond to current protocol developments, in particular the emergence of Web Services. The Web Services stack is designed from the ground up to support protocol filtering at the SOAP layer so SRV merely represents a means of pre-emption. >From a security point of view there is a big difference in the accountability structures when dealling with protocols that require prior bilateral discovery (e.g. tunneling botnet control packets over HTTP) and those that allow for unilateral session initiation (e.g. tunneling botnet control packets over IRC). There is a reason that the botnet herders stick with IRC despite the fact that it is routinely blocked in corporate environments. Systems that require bilateral discovery are very hard to set up and fragile in operation. Systems with a common signaling mechanism are in practice much more robust. There are two objectives here: maintaining the traditional openess of the Internet and ensuring that the Internet is secure. These objectives are not necessarily in conflict. But they will come into conflict if people refuse to accept that there are legitimate interests on both sides. If we take the SRV mechanism seriously and take our duty to our users seriously we can significantly improve the Internet experience for the ordinary user and make it much easier to deploy new Internet infrastructre. To answer what I believe John's core point is here: The use of SRV will actually advance the cause that I suspect the is promoting: Specifically the enfranchisement of the ordinary Internet citizen. Promoting everything to the DNS level means that an ordinary Internet user can enfrachise their Internet connection simply by purchasing their own DNS name. There are security concerns here, but remember that according to today's standard Internet firewall configuration externally facing systems live separated in their own DMZ in any case. The only protocol access allowed is from the inside to the outside. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf