To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS

Mon May 14 09:35:45 UTC 2001

> From: John Fraizer [mailto:nanog at Overkill.EnterZone.Net]
> Sent: Monday, May 14, 2001 1:33 AM

> On Mon, 14 May 2001, Roeland Meyer:

> > Yet, I can't depend on IP addrs because my upstream might have to be
> > changed... damn, I shouldn't have depended on my scumbag 
> DSL upstream, eh?
> > Gee, maybe I should have had a names based system after 
> all? Either way, I
> > wind up having to rebuild Oracle boxen and application 
> servers, every time
> > somebody farts. Just what in blue hell are we supposed to do?
> 
> Um, lets see...how about this.  You use NAT.  That'll be 
> $180.00 please.  
> I'll send you an invoice.

Good luck, some critical stuff can't NAT. Send it, I'll file it in the
appropriate receptacle.

> > BTW, the last I checked SSL certs are usually names based. 
> Pretty slack security, eh?
> 
> Slack, no. You're comparing apples to oranges here and 
> HOPEFULLY, you know
> it.  Basing security on IN-ADDR is absolutely idiotic.  

Agreed, but some code requires it. Which was my point. I'm talking smaller
vendors, like Oracle. BTW, how do I fake in-addr.arpa responses for NAT'd
space? My Oracle 8i server keeps checking the reverse addr every time I try
to create a DB. It's really annoying. Funny thing, my DB2 servers do the
same thing ...

> Basing security on IP addresses on the other hand is while 
> not a complete
> security solution, MUCH MORE SOUND than IN-ADDR.  You can at least build
> ACLs in your router(s) that don't allow spoofed traffic to enter your
> network.  

Then, why bother with DNS? This becomes a real problem with non-portable IP
blocks. My point remains, names are more portable than IP addrs.

> Now, about the SSL security thing. SSL 
> certification is designed
> to certify the identity of the server and that identity is 
> based on the
> FQDN.  SSL CERTs are around for the PRECISE reason that it is 
> too easy to spoof IN-ADDR, etc.

I agree, and always have, that reverse is easy to spoof. However, breaking
reverse is guaranteed to make some things fail. Some of those things are
proprietary code, owned by someone else, that I don't have sources for (and
which I paid a lot of money for). No, I don't have any clout with Oracle
(any more than you do, with Bill Gates).

> > This is right on up there with: 
> > 	
> > 1) You idiot DSL monkey, you deserve your Inet death 
> because you didn't
> > multi-home.
> > 2) No, you can't advertise less than a /20.
> > 3) No, you don't deserve larger than a /32.
> > 4) Yes, we know that makes multi-homing impossible for 
> those that need it
> > the most.
> > 5) No, we don't care, you idiot DSL monkeys deserve Inet death.
> > 
> > Yeah, the message you send out is real clear.
> > ... and one wonders why the Internet has an implosion problem...
> 
> And that's right up there with "<plonk!> me please!  I'm an idiot DSL
> monkey!  WAAAAAAAAAA!  My DSL provider went tits-up and I 
> hadn't built any
> contengency plan.  I'm going to go bankrupt!  WAAAAAAAAA!"

I'm glad you enjoyed that, it was supposed to be funny. BTW, DSLnetworks is
still in business...how (if they're so bad)? But, that wasn't the point. The
point is that many of us, on the end-points, are being hung out there
without recourse. How do we multi-home to different providers when routing
gets munged as a guaranteed side-effect?

> If your business depends (depended) on stable and reliable internet
> connectivity with your own (or at least non-changing) address 
> space, might
> I suggest that you should have gone to ARIN for a microblock 
> of address
> space and established a contengency plan with some other 
> provider(s) in
> the event that the sky fell?

I've been trying to do that for years. Minor technical difficulties keep
getting in the way, like routability. I can get the /24, already have the
ASN, but can't get it routed. If it's so easy, how come you haven't done it
yet?