nanog mailing list archives
Re: request for help w/ ATT and terminology
From: Roland Dobbins <rdobbins () cisco com>
Date: Sat, 19 Jan 2008 12:25:04 +0800
On Jan 19, 2008, at 12:12 PM, William Herrin wrote:
For renumbering purposes, you could reasonably expect the firewall to perform the translations once when rebooted or reset, after which it would use the discovered IP addresses.
You can do that now with most firewalls and ACLs on most routers - there's generally a configuration setting which allows/disallows live lookups of hostnames when config files are updated containing same. I don't like it due to the load it puts on the resolving box, plus the auditing issue, but some folks do it.
This would only fail where the firewall was being operated by someone in a differentadministrative domain that the engineer who has to renumber... And those scenarios are already indicative of a security problem.
'Renumbering' happens all the time due to multiple A records for a single FQDN, DNS-based load-balancing setups, etc. And remember, in many cases, there are hosts in firewall rules/ACLs which are not part of the operator's own administrative domain, but which are external to it.
Unfortunately, we're all ignoring the big white elephant in the room: spam filters. When a large flow of email suddenly starts emitting from an address that didn't previously send significant amounts of mail, a number of filters squash it for a while based solely on the changed message rate. This can be very traumatic for the engineer trying to renumber and it is 100% outside of his realm of control. And of course, you lose all of the private whitelists that you talked your way on to over the years where you no longer have a valid point of contact.
With regards to antispam systems which are configured to behave in such a manner, this is (or ought to be) a BCP issue, obviously.
Renumbering is a bad bad thing.
Renumbering in a world in which EIDs and locators are conflated and in which the EID is in any case vastly overloaded from a policy perspective is indeed very painful, and not just for the renumbering party, but for many others, as well.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice
Culture eats strategy for breakfast.
-- Ford Motor Company
Current thread:
- Re: request for help w/ ATT and terminology, (continued)
- Re: request for help w/ ATT and terminology Valdis . Kletnieks (Jan 17)
- Re: request for help w/ ATT and terminology Steven M. Bellovin (Jan 17)
- Re: request for help w/ ATT and terminology Crist Clark (Jan 17)
- Re: request for help w/ ATT and terminology Valdis . Kletnieks (Jan 17)
- Re: request for help w/ ATT and terminology Steven M. Bellovin (Jan 17)
- Re: request for help w/ ATT and terminology Joe Greco (Jan 18)
- Re: request for help w/ ATT and terminology Joe Greco (Jan 17)
- Re: request for help w/ ATT and terminology Brandon Galbraith (Jan 17)
- Re: request for help w/ ATT and terminology Roland Dobbins (Jan 18)
- Re: request for help w/ ATT and terminology William Herrin (Jan 18)
- Re: request for help w/ ATT and terminology Roland Dobbins (Jan 18)
- Re: request for help w/ ATT and terminology Patrick W. Gilmore (Jan 16)
- Re: request for help w/ ATT and terminology Seth Mattinen (Jan 16)
- RE: request for help w/ ATT and terminology Jason Biel (Jan 16)