On 10 Sep 2008, at 15:17, Ron Bonica wrote: > - is BCP38 enough to mitigate the attack vectors described in > draft-ietf-dnsop-reflectors-are-evil-06
This question needs clarification. I say this because this is an operations group, not a protocol group; what is dealt with here is practice, not theory. BCP38, if deployed universally, would eliminate the possibility of the DNS reflection attacks I have seen, since all those involved the use of open recursive nameservers as amplifiers whose input consisted of packets with spoofed source addresses. However, I can see that BCP38 is not universally deployed today, and I have no confidence that it will ever be deployed universally. So I think your question would be better phrased as "can BCP38 deployment be relied upon to mitigate the attack vectors..." and my answer to that question would be "no". > - is filtering after the attack has begun good enough If the presence of open resolvers became the exception rather than the rule then those few open resolvers could be filtered before attacks have begun, perhaps using something akin to a blacklist (which might induce them to stop being open). This would be a better situation than one in which victims have to wait for attacks to start before they start working to filter. So I think I would answer this question "no". > If the answer to both of these questions is "no", the document can go > forward as is. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
