RE: Reverse DNS RFCs and Recommendations
we cannot assume that the connection between isp and cpe is a single entity. a typical example will be the guy who run the dslam and the guy who run the bras belong to two different companies in market which mandate open access. Alex Rubenstein <alex@corp.nac.net> wrote:
Not necessarily. When the CPE is configured through DHCP (or PPP?), the ISP can send the secret.
Which can be seen, in many cases, by other parties
Who can see the packets sent from the local ISP to the CPE directly connected to the ISP?
The NSA, FBI, CIA, DHS. Or, the ISP, the ISP's employees, contractors, sub-contractors. Or the phone company handling the PPPOE, L2TP, or whatever else. Or the WiFi sniffer on the street outside.
we cannot assume that the connection between isp and cpe is a single entity.
a typical example will be the guy who run the dslam and the guy who run the bras belong to two different companies in market which mandate open access.
... which is very, very common.
On Fri, Nov 1, 2013 at 9:19 PM, Alex Rubenstein <alex@corp.nac.net> wrote:
a typical example will be the guy who run the dslam and the guy who run the bras belong to two different companies in market which mandate open access. ... which is very, very common.
It's also a troublesome situation for the ISP; it may be "open access" on paper, but DSLAMs and bras break, and then the ISP is potentially at the mercy of bureaucratic support walls and the DSLAM operator, who would love to create as many weeks delay in repair as possible and pay lip service to getting issues addressed; for the end user to get frustrated, blame the ISP, and switch service to their own. But yeah.... sniffing/tapping can target the underlying link provider. Or it can even involve agents tapping into copper wires with alligator clips, unbeknownst to even the DSLAM operator..... The trouble with end-to-end encryption as a solution; is the difficulty/impossibility of establishing ipsec SAs with arbitrary hosts on the internet; without manual pre-configuration of every pair of hosts. -- -JH
Jimmy Hess wrote:
The trouble with end-to-end encryption as a solution; is the difficulty/impossibility of establishing ipsec SAs with arbitrary hosts on the internet; without manual pre-configuration of every pair of hosts.
In this case, the ISP and the CPE are physically and directly connected with modest security, which makes automation possible. Masataka Ohta
participants (4)
-
Alex Rubenstein
-
Beng Hui Ong
-
Jimmy Hess
-
Masataka Ohta