<div dir="ltr"><br><div>Your article mentions RRL and <span style="color:rgb(51,51,51);font-family:Verdana,Arial,sans-serif;font-size:12px;line-height:15.807999610900879px">asymmetric threats, but does not mention that RRL opens the implementor up to a new </span><span style="color:rgb(51,51,51);font-family:Verdana,Arial,sans-serif;font-size:12px;line-height:15.807999610900879px">asymmetric threat. With RRL, an attacker can spoof legitimate clients and cause the RRL implementation to deny them service. </span></div>
<div><span style="color:rgb(51,51,51);font-family:Verdana,Arial,sans-serif;font-size:12px;line-height:15.807999610900879px"><br></span></div><div><span style="color:rgb(51,51,51);font-family:Verdana,Arial,sans-serif;font-size:12px;line-height:15.807999610900879px">For example, if the authoritative provider <a href="http://www.example.com">www.example.com</a> were to implement RRL as you describe, then an attacker could spoof traffic purporting to be from Google Public DNS, OpenDNS, Comcast ... etc, and cause <a href="http://www.example.com">www.example.com</a> to be un-resolvable by users of those resolvers. </span></div>
<div><span style="color:rgb(51,51,51);font-family:Verdana,Arial,sans-serif;font-size:12px;line-height:15.807999610900879px"><br></span></div><div><span style="color:rgb(51,51,51);font-family:Verdana,Arial,sans-serif;font-size:12px;line-height:15.807999610900879px">The more widely RRL is applied to more protocols and schemes, the more they are vulnerable to this same simple counter-attack. It seems like setting the internet up with a brittle component that may ultimately makes spoofing-based denial of service easier, not harder. This creates additional risk on the implementor at very little benefit to themselves, which still seems asymmetric. </span></div>
<div><span style="color:rgb(51,51,51);font-family:Verdana,Arial,sans-serif;font-size:12px;line-height:15.807999610900879px"><br></span></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Feb 6, 2014 at 9:53 AM, Paul Vixie <span dir="ltr"><<a href="mailto:paul@redbarn.org" target="_blank">paul@redbarn.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="font-family:tt;font-size:11pt" bgcolor="#FFFFFF" text="#000000">
<div style="font-size:11pt;font-family:tt"><span style="font-family:monospace">my latest bcp38 related effort was published in ACM Queue
today:<br><br><a href="http://queue.acm.org/detail.cfm?id=2578510" target="_blank">http://queue.acm.org/detail.cfm?id=2578510</a><span class="HOEnZb"><font color="#888888"><br><br>vixie<br></font></span></span></div>
</div>
<br>_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations<br>
dns-jobs</a> mailing list<br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Colm
</div>