[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Transition from 2535 to opt-in

To: Roy Arends <Roy.Arends@nominum.com>
Subject: Re: Transition from 2535 to opt-in
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
Date: Fri, 07 Dec 2001 13:58:32 -0500
Cc: Ted Lindgreen <ted@tednet.nl>, namedroppers@ops.ietf.org
In-Reply-To: Message from Roy Arends <Roy.Arends@nominum.com> of "Fri, 07 Dec 2001 18:21:42 +0100." <20011207174337.V47758-100000@main>

I'm not quite sure who said this, but:

> > This seems bad, but please understand that DNSSEC was neither
> > designed, nor capable as defence against DoS attacks.
> >
> > So, yes, there may be compelling arguments why and when authenticated
> > denial is desired, but defence against DoS attacks is not one of them.

This position taken to an extreme would encourage us to engineer a
"please crash" request into every protocol.

It would be wrong to lump all denial-of-service attacks together into
a single category -- there are many different sorts of attacks which
could cause denial of service.  Some are easy to defend against, some
are hard.

IMHO, the way to go is to engineer protocols (and implementations) to
be robust against low-packet-rate denial-of-service attacks (such as
forged NXDOMAINS and the "classic" SYN flood), while efforts like
itrace provide tools to allow network operators to deal with the
high-packet-rate attacks.

						- Bill


to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

References:
- Re: Transition from 2535 to opt-in
  - From: Roy Arends <Roy.Arends@nominum.com>

Prev by Date: Re: Transition from 2535 to opt-in
Next by Date: RE: Transition from 2535 to opt-in
Prev by thread: Re: Transition from 2535 to opt-in
Next by thread: Re: Transition from 2535 to opt-in
Index(es):
- Date
- Thread