Schneier: ISPs should bear security burden
Steven J. Sobol
sjsobol at JustThe.net
Thu Apr 28 06:16:36 UTC 2005
On Wed, 27 Apr 2005, Owen DeLong wrote:
> >
> > What's rDNS for the ip address(es) assigned to you?
> >
> I don't know about him, but, on my ADSL connection, it is controlled
> by my nameservers:
>
> ;; ANSWER SECTION:
> 10.159.192.in-addr.arpa. 86400 IN NS ns.rop.edu.
> 10.159.192.in-addr.arpa. 86400 IN NS ns.delong.sj.ca.us.
> Who are you to decide that there is no damage to blocking residential
> customers? I'm a residential customer, but, I have a number of
> servers running, and, a port 25 block would be very destructive to
> the operation of my mailserver.
Ah, but *you* wouldn't get blocked. You maintain your own rDNS and
presumably have enough clue to not make the rDNS look like a pool of
dynamic residential IPs that aren't terribly important. To wit:
sjsobol at amethyst: ~ $host 192.159.10.1
1.10.159.192.in-addr.arpa domain name pointer ns.delong.sj.ca.us.
sjsobol at amethyst: ~ $host 192.159.10.2
2.10.159.192.in-addr.arpa domain name pointer owen.delong.sj.ca.us.
sjsobol at amethyst: ~ $host 192.159.10.8
8.10.159.192.in-addr.arpa domain name pointer www.diagnostix.com.
Those are OBVIOUSLY not hostnames that comply with de-facto standards for
dynamically assigned dialup and broadband pools like
ip-192-168-0-1.AppleValleyCA.BigDSLProvider.net
or
port1.as29.phoenix.DialupFarm.com
(for example).
The idea is that your ISP should either allow you to run your own DNS or
give you DNS that doesn't look like something out of a big pool of
addresses, which makes it much, MUCH easier to decide what to block and
what not to block. Any IP that a provider allows servers on should have
distinctive, non-dynamic-looking DNS (and preferably be in a separate
netblock from the dynamically-assigned IPs).
That way you can be reasonably sure that you're not blocking someone whose
ISP has allowed them to run servers.
(Some providers are much better than others at doing this kind of
thing...)
> Why should an ISP decide what a residential
> customer can or can't do with their internet connection. (This is not
> an advocation for abandoning TOS or allowing abuse. I am talking about
> within the confines of legitimate internet use, such as hosting a web
> site (or even several), running nameservers, mail server(s), etc.)
Your ISP, or the provider of the person deciding whether to block you?
Is there anything wrong with an ISP saying "you can't run servers on
certain types of Internet connection"?
--
JustThe.net - Apple Valley, CA - http://JustThe.net/ - 888.480.4NET (4638)
Steven J. Sobol, Geek In Charge / sjsobol at JustThe.net / PGP: 0xE3AE35ED
"The wisdom of a fool won't set you free"
--New Order, "Bizarre Love Triangle"
More information about the NANOG
mailing list