nanog mailing list archives
Re: Reverse DNS RFCs and Recommendations
From: Mark Andrews <marka () isc org>
Date: Sat, 02 Nov 2013 15:13:02 +1100
In message <527459C4.5000308 () necom830 hpcl titech ac jp>, Masataka Ohta writes:
Mark Andrews wrote:It is a lot simpler and a lot more practical just to use shared secret between a CPE and a ISP's name server for TSIG generation.No it isn't. It requires a human to transfer the secret to the CPE device or to register the secret with the ISP.Not necessarily. When the CPE is configured through DHCP (or PPP?), the ISP can send the secret.Which can be seen, in many cases, by other partiesWho can see the packets sent from the local ISP to the CPE directly connected to the ISP?
The dhcpd traffic coming in over the cable modem and you want to send secrets in the clear over a channel like this. bsdi# tcpdump -n -i sis0 port bootpc tcpdump: listening on sis0 15:05:15.637252 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0xc58c07ae flags:0x8000 Y:122.106.168.231 G:10.72.0.1 ether 0:1d:9:81:64:ba [|bootp] 15:05:15.650590 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0xc58c07ae flags:0x8000 Y:122.106.168.231 G:10.72.0.1 ether 0:1d:9:81:64:ba [|bootp] 15:05:34.942619 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0x122cf3bb flags:0x8000 Y:10.72.194.250 S:10.72.0.1 G:10.72.0.1 ether 0:17:ee:4c:f3:74 [|bootp] 15:05:36.975213 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0x122cf3bb secs:2 flags:0x8000 Y:10.72.194.250 S:10.72.0.1 G:10.72.0.1 ether 0:17:ee:4c:f3:74 [|bootp] 15:05:36.992714 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0x122cf3bb secs:2 flags:0x8000 Y:10.72.194.250 S:10.72.0.1 G:10.72.0.1 ether 0:17:ee:4c:f3:74 [|bootp] 15:05:55.931705 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0x732 flags:0x8000 Y:10.72.3.3 S:10.72.0.1 G:10.72.0.1 ether 0:11:1a:19:25:a2 [|bootp] 15:05:57.951400 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0x732 secs:2 flags:0x8000 Y:10.72.3.3 S:10.72.0.1 G:10.72.0.1 ether 0:11:1a:19:25:a2 [|bootp] 15:05:57.964049 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0x732 secs:2 flags:0x8000 Y:10.72.3.3 S:10.72.0.1 G:10.72.0.1 ether 0:11:1a:19:25:a2 [|bootp] 15:05:58.930921 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0xc7dba2af flags:0x8000 Y:122.106.152.0 G:10.72.0.1 ether 0:14:bf:a0:db:c8 [|bootp] 15:06:00.054322 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0xc7dba2b0 flags:0x8000 Y:122.106.152.0 G:10.72.0.1 ether 0:14:bf:a0:db:c8 [|bootp] 15:06:00.068061 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0xc7dba2b0 flags:0x8000 Y:122.106.152.0 G:10.72.0.1 ether 0:14:bf:a0:db:c8 [|bootp] 15:06:08.933232 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0x111fb9c2 flags:0x8000 Y:10.72.23.110 S:10.72.0.1 G:10.72.0.1 ether 0:1a:de:6f:99:e6 [|bootp] 15:06:10.941233 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0x111fb9c2 secs:2 flags:0x8000 Y:10.72.23.110 S:10.72.0.1 G:10.72.0.1 ether 0:1a:de:6f:99:e6 [|bootp] 15:06:10.959519 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0x111fb9c2 secs:2 flags:0x8000 Y:10.72.23.110 S:10.72.0.1 G:10.72.0.1 ether 0:1a:de:6f:99:e6 [|bootp] ^C 10638 packets received by filter 0 packets dropped by kernel bsdi#
If you mind wire tapping, you have other things to worry about, which needs your access line encrypted (by a manually configured password), which makes DHCP packets invisible. Masataka Ohta
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- Re: Reverse DNS RFCs and Recommendations, (continued)
- Re: Reverse DNS RFCs and Recommendations Valdis . Kletnieks (Nov 01)
- Re: Reverse DNS RFCs and Recommendations Masataka Ohta (Nov 01)
- Re: Reverse DNS RFCs and Recommendations William Herrin (Nov 01)
- Re: Reverse DNS RFCs and Recommendations Mark Andrews (Nov 01)
- Re: Reverse DNS RFCs and Recommendations Masataka Ohta (Nov 01)
- Re: Reverse DNS RFCs and Recommendations Mark Andrews (Nov 01)
- Re: Reverse DNS RFCs and Recommendations Mark Andrews (Nov 01)
- Re: Reverse DNS RFCs and Recommendations Masataka Ohta (Nov 01)
- RE: Reverse DNS RFCs and Recommendations Alex Rubenstein (Nov 01)
- Re: Reverse DNS RFCs and Recommendations Masataka Ohta (Nov 01)
- Re: Reverse DNS RFCs and Recommendations Mark Andrews (Nov 01)
- Re: Reverse DNS RFCs and Recommendations Masataka Ohta (Nov 02)
- Re: Reverse DNS RFCs and Recommendations Mark Andrews (Nov 02)
- Re: Reverse DNS RFCs and Recommendations Masataka Ohta (Nov 02)
- Re: Reverse DNS RFCs and Recommendations Sander Steffann (Nov 02)
- Re: Reverse DNS RFCs and Recommendations Masataka Ohta (Nov 02)
- Re: Reverse DNS RFCs and Recommendations Sander Steffann (Nov 02)
- Re: Reverse DNS RFCs and Recommendations Masataka Ohta (Nov 05)
- Re: Reverse DNS RFCs and Recommendations Jimmy Hess (Nov 05)
- Re: Reverse DNS RFCs and Recommendations Mark Andrews (Nov 05)
- Re: Reverse DNS RFCs and Recommendations Masataka Ohta (Nov 06)
- Re: Reverse DNS RFCs and Recommendations Valdis . Kletnieks (Nov 01)