Re: RBL-type BGP service for known rogue networks?

North American Network Operators Group

Re: RBL-type BGP service for known rogue networks?

From: Greg A. Woods
Date: Mon Jul 10 12:12:16 2000

[ On Monday, July 10, 2000 at 11:38:23 (-0400), Shawn McMahon wrote: ]
> Subject: Re: RBL-type BGP service for known rogue networks?
>
> Oh, you wanna go there?

Yes.  (Been there, done it, wrote the book!  ;-)

> Hmm. MUST NOT refuse.  Who's violating the RFC here, again?

Well, since I'm free to implement policies that affect my own system(s),
you loose, not me.  Fix your DNS or your mailer and we both win.

> *ANYBODY* using sendmail from a dynamic IP is either going to do this, or
> worse.  RFC 1123 requires you to live with it.

Wrong.  On both counts.  (though for different reasons)

> If you choose not to, don't wave the damn RFC around like a magic shield.

Since I was using the Internet at the time that RFC was written, though
unfortunately not directly involved in its writing, unfortunately, I can
fully understand the meaning of that apparent self-contradiction.
Nerarly a dozen years ago there were different pressures on RFC writers.

Most every sane person I know now understands that the so-called
robustness principle defined in RFC 1123 MUST not be used to ignore
security issues.  Although forging a HELO name isn't exactly fraud, it's
very close, and therefore it's definitely a security issue (the risks
are relatively low, but there's more than ample evidence that people
continue to use it for illicit purposes in an ongoing basis).

> CNAMEs are "valid principal host domain name[s]".

No, bzzt, wrong!  CNAMEs can point at host domain names, but they are
definitely not anything like host domain names!  Host domain names are
only those that return A RRs.

>  Nothing in the RFC
> says it can't be a CNAME, but something in the RFC says you have to accept
> it even if it's flat-out wrong or a lie.

Sorry, but you've leapt over a set with your misunderstanding above and
therefore the remainder of your logic falls to pieces completely.

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <[email protected]>      <robohack!woods>
Planix, Inc. <[email protected]>; Secrets of the Weird <[email protected]>

References:
- RE: RBL-type BGP service for known rogue networks? Sabri Berisha
- RE: RBL-type BGP service for known rogue networks? Roeland M.J. Meyer
- RE: RBL-type BGP service for known rogue networks? Greg A. Woods
- Re: RBL-type BGP service for known rogue networks? Shawn McMahon
- Re: RBL-type BGP service for known rogue networks? Greg A. Woods
- Re: RBL-type BGP service for known rogue networks? Shawn McMahon
- Re: RBL-type BGP service for known rogue networks? Greg A. Woods
- Re: RBL-type BGP service for known rogue networks? Shawn McMahon
- Re: RBL-type BGP service for known rogue networks? Greg A. Woods
- Re: RBL-type BGP service for known rogue networks? Shawn McMahon

Prev by Date: Re: Open Question About AS Number assignments...
Next by Date: RE: RBL-type BGP service for known rogue networks?
Date Index
Thread Index
Author Index
Historical