LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for July 2, 2009

RealtimeKit and the audio problem

VFAT patent avoidance and patent workarounds

LWN.net Weekly Edition for June 25, 2009

Apache attacked by a "slow loris"

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Details of the DNS flaw revealed

Details of the DNS flaw revealed

Posted Aug 21, 2008 8:13 UTC (Thu) by forthy (guest, #1525)
Parent article: Details of the DNS flaw revealed

We need to accept that the whole TCP/IP frame was designed for a cooperative environment, not a hostile one. Forging IP source addresses is already something a secure network should not allow, and in fact it should be not difficult to implement IP filters in routers that drop all forged IP sources (i.e. those that can't come from that segment). The lack of authentication everywhere is another problem. All the security stuff like signed mails, DNSSEC, etc. is worthless if unsigned data is still accepted as good.

IMHO, the internet protocols need to be redesigned from scratch. But then, there will be serious transition problems - IPv6 already causes those, even though much of the protocols are unchanged, and thus also their problems are not fixed. For the transition period, we'll need protocol translators. However, these translators are causing security problems, as well, because the problems in the old protocols aren't fixable. The good thing is that you can phase out the old protocols over time, and put pressure on sensitive services to migrate first (the last IPv4 devices in such a network will probably be the printers on the LAN, because they don't cause much security problems).

(Log in to post comments)

Details of the DNS flaw revealed

Posted Aug 21, 2008 23:23 UTC (Thu) by dlang (subscriber, #313) [Link] 

the concept of what IP addresses "can't come from that segment" falls apart when you get into
the core of the Internet where dynamic routing (via BGP) is used. the dynamic routing is
designed so that it can send anyone's traffic anywhere if that's the best way for it to get
there.

Details of the DNS flaw revealed

Posted Aug 22, 2008 9:07 UTC (Fri) by paulj (subscriber, #341) [Link]

That's a deficiency in BGP though, or at least a mark of it being designed in days when the internet was a smaller place. It's something which people are trying to address in various ways.

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds