nanog mailing list archives
Re: large organization nameservers sending icmp packets to dns servers.
From: Andrew Sullivan <andrew () ca afilias info>
Date: Tue, 7 Aug 2007 17:23:31 -0400
On Tue, Aug 07, 2007 at 01:50:33PM -0700, Kevin Oberman wrote:
that security types (I mean those with a police/physical security background) don't must care for these arguments. It usually comes down to "lock and bar every door unless you can prove to them that there is a need to have the door unlocked".
So these people are also the ones responsible for chaining shut fire doors because "fires never happen in this building, but theft does"? I sure feel safer now! The "need to have the door unlocked" is because that's the way the building is designed to fail its fireproofing. And the need to have the TCP port open is because that's the way the network protocol is designed to fail from UDP. If "this is the way the protocol works" is not enough of an argument, then I'm afraid we're past the point of engineering and into the realm of tea-leaf readers and chicken-entrail-based prognosticators. I'm aware there are such people promoting themselves as security experts. It's rather depressing that those people can still find gainful employment; but in this post-literate age where people prefer to repeat (or listen to) foolish bromides rather than Read the Fine Commentaries that define the protocol, I suppose I ought not to be surprised. Shocked but not surprised, A ---- Andrew Sullivan 204-4141 Yonge Street Afilias Canada Toronto, Ontario Canada <andrew () ca afilias info> M2P 2A8 +1 416 646 3304 x4110
Current thread:
- Re: large organization nameservers sending icmp packets to dns servers., (continued)
- Re: large organization nameservers sending icmp packets to dns servers. Chris L. Morrow (Aug 06)
- Re: large organization nameservers sending icmp packets to dns servers. Peter Dambier (Aug 06)
- Re: large organization nameservers sending icmp packets to dns servers. Joe Abley (Aug 06)
- RE: large organization nameservers sending icmp packets to dns servers. Jason J. W. Williams (Aug 07)
- RE: large organization nameservers sending icmp packets to dns servers. Donald Stahl (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Joe Abley (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Kevin Oberman (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Donald Stahl (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Kevin Oberman (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Andrew Sullivan (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Douglas Otis (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Paul Vixie (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Douglas Otis (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Paul Vixie (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Douglas Otis (Aug 09)
- Re: large organization nameservers sending icmp packets to dns servers. Paul Vixie (Aug 09)
- Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 09)
- Re: large organization nameservers sending icmp packets to dns servers. Paul Vixie (Aug 09)
- Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 10)
- Re: large organization nameservers sending icmp packets to dns servers. Douglas Otis (Aug 10)