nanog mailing list archives
RE: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS
From: Roeland Meyer <rmeyer () mhsc com>
Date: Mon, 14 May 2001 02:35:45 -0700
From: John Fraizer [mailto:nanog () Overkill EnterZone Net] Sent: Monday, May 14, 2001 1:33 AM
On Mon, 14 May 2001, Roeland Meyer:
Yet, I can't depend on IP addrs because my upstream might have to be changed... damn, I shouldn't have depended on my scumbagDSL upstream, eh?Gee, maybe I should have had a names based system afterall? Either way, Iwind up having to rebuild Oracle boxen and applicationservers, every timesomebody farts. Just what in blue hell are we supposed to do?Um, lets see...how about this. You use NAT. That'll be $180.00 please. I'll send you an invoice.
Good luck, some critical stuff can't NAT. Send it, I'll file it in the appropriate receptacle.
BTW, the last I checked SSL certs are usually names based.Pretty slack security, eh? Slack, no. You're comparing apples to oranges here and HOPEFULLY, you know it. Basing security on IN-ADDR is absolutely idiotic.
Agreed, but some code requires it. Which was my point. I'm talking smaller vendors, like Oracle. BTW, how do I fake in-addr.arpa responses for NAT'd space? My Oracle 8i server keeps checking the reverse addr every time I try to create a DB. It's really annoying. Funny thing, my DB2 servers do the same thing ...
Basing security on IP addresses on the other hand is while not a complete security solution, MUCH MORE SOUND than IN-ADDR. You can at least build ACLs in your router(s) that don't allow spoofed traffic to enter your network.
Then, why bother with DNS? This becomes a real problem with non-portable IP blocks. My point remains, names are more portable than IP addrs.
Now, about the SSL security thing. SSL certification is designed to certify the identity of the server and that identity is based on the FQDN. SSL CERTs are around for the PRECISE reason that it is too easy to spoof IN-ADDR, etc.
I agree, and always have, that reverse is easy to spoof. However, breaking reverse is guaranteed to make some things fail. Some of those things are proprietary code, owned by someone else, that I don't have sources for (and which I paid a lot of money for). No, I don't have any clout with Oracle (any more than you do, with Bill Gates).
This is right on up there with: 1) You idiot DSL monkey, you deserve your Inet deathbecause you didn'tmulti-home. 2) No, you can't advertise less than a /20. 3) No, you don't deserve larger than a /32. 4) Yes, we know that makes multi-homing impossible forthose that need itthe most. 5) No, we don't care, you idiot DSL monkeys deserve Inet death. Yeah, the message you send out is real clear. ... and one wonders why the Internet has an implosion problem...And that's right up there with "<plonk!> me please! I'm an idiot DSL monkey! WAAAAAAAAAA! My DSL provider went tits-up and I hadn't built any contengency plan. I'm going to go bankrupt! WAAAAAAAAA!"
I'm glad you enjoyed that, it was supposed to be funny. BTW, DSLnetworks is still in business...how (if they're so bad)? But, that wasn't the point. The point is that many of us, on the end-points, are being hung out there without recourse. How do we multi-home to different providers when routing gets munged as a guaranteed side-effect?
If your business depends (depended) on stable and reliable internet connectivity with your own (or at least non-changing) address space, might I suggest that you should have gone to ARIN for a microblock of address space and established a contengency plan with some other provider(s) in the event that the sky fell?
I've been trying to do that for years. Minor technical difficulties keep getting in the way, like routability. I can get the /24, already have the ASN, but can't get it routed. If it's so easy, how come you haven't done it yet?
Current thread:
- Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS, (continued)
- Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Adam McKenna (May 15)
- Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Valdis . Kletnieks (May 15)
- Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Pyda Srisuresh (May 15)
- RE: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Vivien M. (May 15)
- Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Shawn McMahon (May 15)
- Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Brett Frankenberger (May 17)
- Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Shawn McMahon (May 17)
- Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS David Charlap (May 17)
- RE: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Pyda Srisuresh (May 15)
- Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Eric A. Hall (May 15)
- RE: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS John Fraizer (May 14)
- RE: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Dominic J. Eidson (May 14)
- Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Adam McKenna (May 14)
- Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Adam Rothschild (May 14)
- Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS bmanning (May 14)
- Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Hunter Pine (May 14)