From: John Fraizer [mailto:nanog@Overkill.EnterZone.Net] Sent: Monday, May 14, 2001 1:33 AM
On Mon, 14 May 2001, Roeland Meyer:
Yet, I can't depend on IP addrs because my upstream might have to be changed... damn, I shouldn't have depended on my scumbag DSL upstream, eh? Gee, maybe I should have had a names based system after all? Either way, I wind up having to rebuild Oracle boxen and application servers, every time somebody farts. Just what in blue hell are we supposed to do?
Um, lets see...how about this. You use NAT. That'll be $180.00 please. I'll send you an invoice.
Good luck, some critical stuff can't NAT. Send it, I'll file it in the appropriate receptacle.
BTW, the last I checked SSL certs are usually names based. Pretty slack security, eh?
Slack, no. You're comparing apples to oranges here and HOPEFULLY, you know it. Basing security on IN-ADDR is absolutely idiotic.
Agreed, but some code requires it. Which was my point. I'm talking smaller vendors, like Oracle. BTW, how do I fake in-addr.arpa responses for NAT'd space? My Oracle 8i server keeps checking the reverse addr every time I try to create a DB. It's really annoying. Funny thing, my DB2 servers do the same thing ...
Basing security on IP addresses on the other hand is while not a complete security solution, MUCH MORE SOUND than IN-ADDR. You can at least build ACLs in your router(s) that don't allow spoofed traffic to enter your network.
Then, why bother with DNS? This becomes a real problem with non-portable IP blocks. My point remains, names are more portable than IP addrs.
Now, about the SSL security thing. SSL certification is designed to certify the identity of the server and that identity is based on the FQDN. SSL CERTs are around for the PRECISE reason that it is too easy to spoof IN-ADDR, etc.
I agree, and always have, that reverse is easy to spoof. However, breaking reverse is guaranteed to make some things fail. Some of those things are proprietary code, owned by someone else, that I don't have sources for (and which I paid a lot of money for). No, I don't have any clout with Oracle (any more than you do, with Bill Gates).
This is right on up there with:
1) You idiot DSL monkey, you deserve your Inet death because you didn't multi-home. 2) No, you can't advertise less than a /20. 3) No, you don't deserve larger than a /32. 4) Yes, we know that makes multi-homing impossible for those that need it the most. 5) No, we don't care, you idiot DSL monkeys deserve Inet death.
Yeah, the message you send out is real clear. ... and one wonders why the Internet has an implosion problem...
And that's right up there with "<plonk!> me please! I'm an idiot DSL monkey! WAAAAAAAAAA! My DSL provider went tits-up and I hadn't built any contengency plan. I'm going to go bankrupt! WAAAAAAAAA!"
I'm glad you enjoyed that, it was supposed to be funny. BTW, DSLnetworks is still in business...how (if they're so bad)? But, that wasn't the point. The point is that many of us, on the end-points, are being hung out there without recourse. How do we multi-home to different providers when routing gets munged as a guaranteed side-effect?
If your business depends (depended) on stable and reliable internet connectivity with your own (or at least non-changing) address space, might I suggest that you should have gone to ARIN for a microblock of address space and established a contengency plan with some other provider(s) in the event that the sky fell?
I've been trying to do that for years. Minor technical difficulties keep getting in the way, like routability. I can get the /24, already have the ASN, but can't get it routed. If it's so easy, how come you haven't done it yet?