nanog mailing list archives
Re: Schneier: ISPs should bear security burden
From: Mark Andrews <Mark_Andrews () isc org>
Date: Mon, 2 May 2005 11:40:11 +1000 (EST)
In article <m1DSI5v-008i6YC () rdaver bungi com> you write:
[In the message entitled "Re: Schneier: ISPs should bear security burden" on May 1, 12:25, "Jay R. Ashworth" writes:]Ok, so here's a question for your, Dave: do you have a procedure for entertaining requests to be excluded from your replies from people with legitimate needs to operate MTA's, who have been given (let us say) static addresses by their providers which fall within a range you understand to be dialup? (I'm assuming you include cable and DSL end-user address pools; this is the sort of thing I'm asking about.)Of course, Jay. First off, static addresses don't belong on the DUL (unless the ISP chooses to list them). Second, any address can be removed by the ISP (even if it is a /32 in the middle of an otherwise all dynamic /16). End-users are directed to have their ISP contact us, as we *do not* take the end-users word for it. A quick note to dul () mail-abuse com will get it handled.
Actually I think there are multiple classes in DUL.
1. unfilter addresses dynamic
2. unfilter addresses static
3. ISP filtered addresses dynamic
4. ISP filtered addresses static
Most people using DUL for blocking want to detect the
unfiltered addresses. Filtered address space poses no more
risk than any space not on the DUL and may infact pose less
risk as you know that requires a deliberate act by the ISP
to allow outgoing SMTP connections.
Whats needed is two lists. One for the unfiltered and a
second for the filtered addresses. The second one can be
used as a white list for those who insist on using name-patterns
to block addresses.
We already have evidence in this thread of one person using DUL
as a white list.
By continuing to lump filtered and unfiltered addresses together
you are throwing out the baby with the bath water.
I don't see the need to distinguish between static and dynamic
address. All address space can be classes as static / dynamic
depending upon the time frame the address use is measured over.
Mark
Current thread:
- Re: Schneier: ISPs should bear security burden Jay R. Ashworth (May 01)
- <Possible follow-ups>
- Re: Schneier: ISPs should bear security burden Jay R. Ashworth (May 01)
- Re: Schneier: ISPs should bear security burden Jay R. Ashworth (May 01)
- Re: Schneier: ISPs should bear security burden Jay R. Ashworth (May 01)
- Re: Schneier: ISPs should bear security burden Jay R. Ashworth (May 01)
- Re: Schneier: ISPs should bear security burden Jay R. Ashworth (May 01)
- Re: Schneier: ISPs should bear security burden Valdis . Kletnieks (May 01)
- Message not available
- Re: Schneier: ISPs should bear security burden Valdis . Kletnieks (May 01)
- Re: Schneier: ISPs should bear security burden Valdis . Kletnieks (May 01)
- Re: Schneier: ISPs should bear security burden Jay R. Ashworth (May 01)
- Re: Schneier: ISPs should bear security burden Dave Rand (May 01)
- Re: Schneier: ISPs should bear security burden Mark Andrews (May 01)
- Re: Schneier: ISPs should bear security burden Paul Vixie (May 02)
- Re: Schneier: ISPs should bear security burden Mark Andrews (May 01)
- Re: Schneier: ISPs should bear security burden Joe Maimon (May 01)
- Re: Schneier: ISPs should bear security burden Suresh Ramasubramanian (May 02)
- Re: Schneier: ISPs should bear security burden Steven Champeon (May 02)
- Re: Schneier: ISPs should bear security burden Joe Maimon (May 02)
- Re: Schneier: ISPs should bear security burden Steven Champeon (May 02)
- Re: Schneier: ISPs should bear security burden Valdis . Kletnieks (May 02)