fw at deneb.enyo.de
Mon Dec 15 06:55:16 UTC 2014
* David Conrad:
> Software diversity is a tool that network administrators use to
> improve resiliency in their infrastructure. I agree it is not a
> silver bullet but if I was building out critical infrastructure like
> (oh say) a root server or a resolver cloud that my customers depend
> on, I would want to minimize the risk that my infrastructure was
> vulnerable to a single bug.
When you aim for diversity, you get the union of all bugs, not the
intersection. (Same with complex firewalling software: the
application which needs to be protecting needs to be *really* bad that
a firewall in front of it makes the overall bug count go down.) Even
the effect on resiliency is limited because bugs in independently
written pieces of software are not random, but are somewhat correlated.
And regarding denial of service, ripping out TCP/IP and replacing it
with something that has working denial-of-service capabilities (by
pushing the impact closer to the sources, say) is simply not an option
for many operators.
More information about the dns-operations