RE: hat tip to .gov hostmasters
DNSSEC is not a PKI. There are no CAs and no X.509 certificates. It's a chain of trust that can be validated using public/private key pairs. OK, that's oversimplification but you get the idea. While we wait for applications to become DNSSEC-aware, if your local DNS server can be trusted (a big if of course) then it can proxy the DNSSEC awareness for you. Since nearly everybody trusts a local DNS server to resolve queries, then making that server DNSSEC aware is an enormous step forward, even if the actual applications and operating systems on end-user computers are not fully DNSSEC-aware and won't be for many years to come. Marc -Original Message- From: Florian Weimer [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2008 11:10 AM To: Colin Alston Cc: nanog@nanog.org Subject: Re: hat tip to .gov hostmasters * Colin Alston: Correct, you need a validating, security-aware stub resolver, or the ISP needs to validate the records for you. In public space like .com, don't you need some kind of central trustworthy CA? No, why would you? You need to trust the zone operator, and you need some trustworthy channel to exchange trust anchors at one point in time (a significant improvement compared to classic DNS, where you need a trustworthy channel all the time). -- Florian Weimer[EMAIL PROTECTED] BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
New Intercage upstream
Looks like they found a new willing partner. AS32335 PACIFICINTERNETEXCHANGE-NET - Pacific Internet Exchange LLC. http://cidr-report.org/cgi-bin/as-report?as=AS27595 http://www.pacificinternetexchange.net/ Marc
Re: Revealed: The Internet's Biggest Security Hole
Nothing will change. You think DNSSEC is hard? Try getting support for the deployment of S-BGP or soBGP. Without a trust anchor and lots of community support it will remain largely an academic interest area. Marc --Original Message-- From: Gadi Evron To: Frank Cc: NANOG list Sent: Aug 27, 2008 20:54 Subject: Re: Revealed: The Internet's Biggest Security Hole hehe new. hehe Maybe something will change now' though, it was a great and impressive presentation, hijacking the defcon network and tweaking TTL to hide it. On Thu, 28 Aug 2008, Frank wrote: http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html Two security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency. The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination. The demonstration is only the latest attack to highlight fundamental security weaknesses in some of the internet's core protocols. Those protocols were largely developed in the 1970s with the assumption that every node on the then-nascent network would be trustworthy. The world was reminded of the quaintness of that assumption in July, when researcher Dan Kaminsky disclosedhttp://blog.wired.com/27bstroke6/2008/07/details-of-dns.htmla serious vulnerability in the DNS system. Experts say the new demonstration targets a potentially larger weakness. It's a huge issue. It's at least as big an issue as the DNS issue, if not bigger, said Peiter Mudge Zatko, noted computer security expert and --Original Message Truncated-- -- Marcus H. Sachs Verizon 202 515 2463 Sent from my BlackBerry
Re: Revealed: The Internet's Biggest Security Hole
Yes, wonderful preso! My biggest take-away was the fact that the vast majority of the attendees did not understand the gravity of the demo. The same thing could be said about Dan's talk. It was over the heads of most attendees. Marc --Original Message-- From: Gadi Evron To: Sachs, Marcus H. (Marc) Cc: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Aug 27, 2008 21:42 Subject: Re: Revealed: The Internet's Biggest Security Hole On Wed, 27 Aug 2008 [EMAIL PROTECTED] wrote: Nothing will change. You think DNSSEC is hard? Try getting support for the deployment of S-BGP or soBGP. Without a trust anchor and lots of community support it will remain largely an academic interest area. I guess it will just remain a cool presentation than, and boy was it cool. You were there, any special impressions? Gadi. Marc --Original Message-- From: Gadi Evron To: Frank Cc: NANOG list Sent: Aug 27, 2008 20:54 Subject: Re: Revealed: The Internet's Biggest Security Hole hehe new. hehe Maybe something will change now' though, it was a great and impressive presentation, hijacking the defcon network and tweaking TTL to hide it. On Thu, 28 Aug 2008, Frank wrote: http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html Two security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency. The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination. The demonstration is only the latest attack to highlight fundamental security weaknesses in some of the internet's --Original Message Truncated-- -- Marcus H. Sachs Verizon 202 515 2463 Sent from my BlackBerry
Re: Revealed: The Internet's Biggest Security Hole
I'll have to admit that the TTL manipulation was something I had not thought about. But why not? If you are going to purloin EVERY packet then why not re-write byte 8 in every IP header to a value of your choosing? Very cool. Marc --Original Message-- From: Jason Ross To: Sachs, Marcus H. (Marc) Cc: Gadi Evron Cc: [EMAIL PROTECTED] Sent: Aug 27, 2008 22:21 Subject: Re: Revealed: The Internet's Biggest Security Hole On Wed, Aug 27, 2008 at 9:52 PM, [EMAIL PROTECTED] wrote: Yes, wonderful preso! My biggest take-away was the fact that the vast majority of the attendees did not understand the gravity of the demo. Agreed on both counts: the presentation was great, and largely not understood it seemed. hehe new. hehe Maybe something will change now' though, it was a great and impressive presentation, hijacking the defcon network and tweaking TTL to hide it. Notably, Alex and Tony both mentioned that the BGP tricks were not new during the presentation, and commented that it would essentially not be surprising to anyone that groks routing at the level that most of the folks on this list does. What was new though according to their presentation (and it was new to me certainly, but I'm still fairly green) was the AS Path prepending to complete the circuit, and as you mentioned, the TTL magicks to hide the hops. I was suitably impressed at that. -- Jason -- Marcus H. Sachs Verizon 202 515 2463 Sent from my BlackBerry
RE: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked?
Here's some older ones: http://pdp-10.trailing-edge.com/cgi-bin/searchbyname?name=hosts.txt Prior to departing SRI last year I spent a bunch of time trying to find some of the old SRI-NIC records. It appears that they were all cleaned out once the contract was closed and the Internet was handed over to Network Solutions. I think that a lot of old records still exist in personal file cabinets and garages around Menlo Park but nothing official is on the campus of SRI. Marc -Original Message- From: Tuc at T-B-O-H [mailto:[EMAIL PROTECTED] Jorge Amodio wrote: /etc/hosts rulez !!! :-) Wonder if SRI wstill has the files. UNOFFICIAL copy from 15-Apr-94 : http://ftp.univie.ac.at/netinfo/netinfo/hosts.txt Tuc/TBOH