Re: DNS role (RE: NATs as firewalls, cryptography, and curbing DDoS threats.)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On Mar 8, 2007, at 2:13 AM, Brian E Carpenter wrote:


On 2007-03-08 02:06, Hallam-Baker, Phillip wrote:
OK I will restate. All connection initiation should be exclusively mediated through the DNS and only the DNS.
Would that include connections to one's DHCP server, SLP server, default gateway, 
and DNS server?

Hmm...
This is represents a controversial topic where my perspective might be somewhat unique. But...
In systems that are attempting to be as open as possible, where email is an example, the primary method for controlling abuse has been to truncate connections based upon IPv4 addresses. This address space allows methods using a deterministic amount of solid state resources. When that address space become complex, where sources represent a series of addresses translated by gateways, or even using an IPv6 address, tracking soon exceeds practical resource provisioning.
The quality of the control depends upon rapid turn-around by reacting from solid state resources. The alternatives are many orders of magnitude slower. It is not just the route, which is part of the assessment, but also the specific point of origin being tracked. There are techniques to consolidate the address space, but this is not an ideal solution.
Use of IPv4 addressing as a means to control abuse will soon become problematic. One approach would be to identify the client by name, and then allow merged messages be cryptographically identified by name, where this name then authorizes the specific client by name. A weakness of cryptographic identification is that it can be replayed. While there might be rate limits in place initially, message replay thwarts reliance on solely the cryptographic identification.
By relying upon the stewardship of the client responding promptly to reports of abuse, tracking the names of the clients permits the use of any IP addressing scheme. The cryptographic identifier would authorize the client, or the message would be slowed using various techniques to impose a type of receiver side rate limiting, that might otherwise be lacking. Rate limiting affords time to respond and limits the level of damage. 

-Doug




_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]