[dns-operations] Kaminsky: Protect IP Act Would Break DNS

Joe Greco jgreco at ns.sol.net
Sun Jul 17 12:11:54 UTC 2011

> * Joe Greco:
> > However, those solutions are much more fraught with peril.  When
> > you start interfering with IP addresses, for example, even assuming
> > you could inject a v4 /32, you may take down a whole slew of sites
> > unrelated to what you are attempting to target.
> This is not rocket science.  You route the /32 to the interception
> device, and do whatever processing is necessary at the higher protocol
> level.  It's probably sufficient if you match on a few characteristic
> keywords/bit strings there.  Clean interception based on URIs (or
> their application-specific equivalent) is difficult, but would
> probably be required by law.

So, you're talking about injecting a /32 in the local service provider's
network, and then forcing them to buy an interception device and then
be competent to get that configured to work in tandem without also
messing up the related sites, and you expect every service provider in
the country to do this in each of their regional networks without 
screwing it up.

My friend, that IS rocket science, I'm sorry.

I purposely chose the term "fraught with peril" for a reason.

... JG
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

More information about the dns-operations mailing list