On Thu, 17 Jan 2008 17:35:30 -0500 Valdis.Kletnieks@vt.edu wrote:
On Thu, 17 Jan 2008 21:29:37 GMT, "Steven M. Bellovin" said:
You don't always want to rely on the DNS for things like firewalls and ACLs. DNS responses can be spoofed, the servers may not be available, etc. (For some reason, I'm assuming that DNSsec isn't being used...)
Been there, done that, plus enough other "stupid DNS tricks" and "stupid /etc/host tricks" to get me a fair supply of stories best told over a pitcher of Guinness down at the Undergroud..
I prefer nice, hoppy ales to Guiness, but either works for stories..
Heh.
*Choosing* to hardcode rather than use DNS is one thing. *Having* to hardcode because the gear is "too stupid" (as Joe Greco put it) is however "Caveat emptor" no matter how you slice it...
Mostly. I could make a strong case that some security gear shouldn't let you do the wrong thing. (OTOH, my preferred interface would do the DNS look-up at config time, and ask you to confirm the retrieved addresses.) You can even do that look-up on a protected net in some cases.
It's all nice and trivial to generate scenarios that could work, but the cold, harsh reality of the world is full of scenarios that don't work. Exempting /etc/resolv.conf (or Windows equiv) from blame could be considered equally silly, because DHCP certainly allows discovery of DNS servers ... yet we already exempted that scenario. Why not exempt more difficult scenarios, such as "how do you use DNS to specify a firewall rule that (currently) allows 123.45.67.0/24". Your suggested interface for single addresses is actually fairly reasonable, but is not comprehensive by a long shot, and still has some serious issues (such as what happens when the firewall in question is under someone else's administrative control, the config-time nature of the DNS resolution solution means that the use of DNS doesn't actually result in your being able to get that update installed without their intervention). It's also worth remembering that hardware manufactured fairly recently still didn't have DNS lookup capabilities; I think only our newest generation of APC RPDU's has it, for example, and it doesn't do it for ACL purposes. The CPU's in some of these things are tiny, as are the memories, ROM/flash, etc. And it's simply unfair to say that equipment older than N years must be obsolete. As much as I'd like it to be easy to renumber, I'd say that it's unreasonable to assume that it is actually trivial to do so. Further, the real experiences of those who have had to undergo such an ordeal should represent some hard-learned wisdom to those working on autoconfiguration for IPv6; if we don't learn from our v4 problems, then that's stupid. (That's primarily why this is worth discussing) ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.