HTTP proxies, was Re: Operational Issues with

Michael.Dillon at Michael.Dillon at
Tue Dec 10 15:22:45 UTC 2002

> >> How do we get software vendors (free, pay, virus) to distribute
> >> software with appropriate defaults?

> michael> Second step, publish a directory. I.e. detect the
> michael> non-conforming devices and publish their IP addresses in an
> michael> LDAP server.

> Let me get this straight, you are suggesting that the way to fix the
> problem that there are potentially millions of insecure machines
> connected to the Internet is to *PUBLISH* the IP addresses of all of
> them in an easy to parse format?  Cute.

Yes, more or less. I am suggesting that people who have *detected* a 
vulnerability and wish to publicize this fact should publish their lists 
in a standard format and make it available via a standard protocol like 
LDAP. Since the number of *detected* vulnerable hosts is a lot lower than 
the total number of vulnerable hosts this is not as big as you think. And 
since one has to *detect* the vulnerability before publishing it, the 
scaling issue with detection is more of an issue than with publishing.

Besides LDAP has proven to be scalable to very large databases. LDAP was 
developed as a light-weight system so that it could be scaled massively. 

> Don't tell me...we'll be able to pull the vulnerability that got the
> hosts in the list too, so we can verify that "our" machines are,
> indeed, misconfigured?  ;-)

Sure, why not? If someone is going to the trouble of collecting the 
information and publishing it, then they should publish this as well. 
After all, when you query an LDAP server you can specify which fields you 
want to retrieve. Applications that don't need the vulnerability info 
won't bother asking for it.

--Michael Dillon

More information about the NANOG mailing list