North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: request for help w/ ATT and terminology

  • From: William Herrin
  • Date: Fri Jan 18 23:14:40 2008
  • Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; bh=VEQegftboT/0/ewG/Oxn76gLpecXhLQXPbvnb2/FscU=; b=f8bYpDTfAWiycL3XMa8qyvI00mgkzOImzGOoMDiz+dnA/eyxib24AqRw8uY5AkAu+TlHZe8neeVTeI6UwcCTsX1uXtkNWCv8J7IPl9eLKseeDD09lpd2BT70OO2CkhJqdNWqoTFBppGNlfEI6olXk/SkWOhCJ5czu7Ct5oa1y5g=
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=cEwRuM+oNFEaK4HQB+HjSKHAi3R/1uC6Wk3eqOLvPkEAo0Kgg0a38gHdawY/4uVs4jokPz5BrsoQO+hVCBSJiTOAc5h8Vb98mit3oBTiaRGCS/ZJtaRd04FUAih7aQmp6IN9RIS89FpyfMh8b5ySR/TbwOjXtvVzL8dcvh/4XEU=

On Jan 18, 2008 10:18 PM, Roland Dobbins <[email protected]> wrote:
> > host.somewhere.net in a firewall rule in a PIX/ASA/etc. as opposed
>
> It's not only a security issue, but a performance issue (both resolver
> and server) and one of practicality, as well (multiple A records for a
> single FQDN, CNAMEs, A records without matching PTRs, et. al.).  The
> performance problem would likely be even more apparent under DNSSEC,
> and the practicality issue would remain unchanged.

Roland,

  For renumbering purposes, you could reasonably expect the firewall
to perform the translations once when rebooted or reset, after which
it would use the discovered IP addresses. This would only fail where
the firewall was being operated by someone in a different
administrative domain that the engineer who has to renumber... And
those scenarios are already indicative of a security problem.

  Unfortunately, we're all ignoring the big white elephant in the
room: spam filters. When a large flow of email suddenly starts
emitting from an address that didn't previously send significant
amounts of mail, a number of filters squash it for a while based
solely on the changed message rate. This can be very traumatic for the
engineer trying to renumber and it is 100% outside of his realm of
control. And of course, you lose all of the private whitelists that
you talked your way on to over the years where you no longer have a
valid point of contact.

  Renumbering is a bad bad thing.

Regards,
Bill Herrin



-- 
William D. Herrin                  [email protected]  [email protected]
3005 Crane Dr.                        Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004