North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Question concerning authoritative bodies.

  • From: Valdis.Kletnieks
  • Date: Sun Mar 09 13:35:29 2003

On Sun, 09 Mar 2003 11:50:04 CST, Jack Bates <[email protected]>  said:

> So I'm curious what people think. We have semi centralized various things in
> the past such as IP assignments and our beloved DNS root servers. Would it
> not also make sense to handle common security checks in a similar manner? In

IP assignments are factual things of record - AS1312 has 198.82/16 and
128.173/16, and no amount of value judgments will change that.  And yet,
there's scattered complaints about what it takes to get a /19 to multihome.

DNS servers are similarly "things of record".  This organization has this
domain, and their servers are found where the NS entries point.  And the
dispute resolution process is, in a word, a total mess - how many *years*
has the sex.com debacle dragged on now?

So who do you trust to be objective enough about a centralized registry
of security, especially given that there's no consensus on what a proper
level of security is?  And if there's a problem, what do you do?   In our
case, do you ban an entire /16 because one chucklehead sysadmin forgot to
patch up IIS (or wasn't able to - I know of one case where one of our boxes
got hacked while the primary sysadmin was recovering from a heart bypass).
Dropping a note to our [email protected] address will probably get it fixed, but often
we're legally not *ABLE* to say much more than "we got your note and we'll
deal with the user" - Buckley Amendment is one of those laws that I'm glad
is there, even if it does make life difficult sometimes.

> needs to be done? Would it not be better to have a single test suite run
> against a server once every six months than the constant bombardment we see
> now?

I submit to you the thesis that in general, the sites that are able to tell
the difference between these two situations are not the sites that either
situation is trying to detect.


-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

Attachment: pgp00001.pgp
Description: PGP signature