large organization nameservers sending icmp packets to dns servers.

Andrew Sullivan andrew at
Tue Aug 7 21:23:31 UTC 2007

On Tue, Aug 07, 2007 at 01:50:33PM -0700, Kevin Oberman wrote:

> that security types (I mean those with a police/physical security
> background) don't must care for these arguments. It usually comes down
> to "lock and bar every door unless you can prove to them that there is a
> need to have the door unlocked".

So these people are also the ones responsible for chaining shut fire
doors because "fires never happen in this building, but theft does"? 
I sure feel safer now!

The "need to have the door unlocked" is because that's the way the
building is designed to fail its fireproofing.  And the need to have
the TCP port open is because that's the way the network protocol is
designed to fail from UDP.  

If "this is the way the protocol works" is not enough of an argument,
then I'm afraid we're past the point of engineering and into the
realm of tea-leaf readers and chicken-entrail-based prognosticators. 
I'm aware there are such people promoting themselves as security
experts.  It's rather depressing that those people can still find
gainful employment; but in this post-literate age where people prefer
to repeat (or listen to) foolish bromides rather than Read the Fine
Commentaries that define the protocol, I suppose I ought not to be

Shocked but not surprised,

Andrew Sullivan                         204-4141 Yonge Street
Afilias Canada                        Toronto, Ontario Canada
<andrew at>                              M2P 2A8
                                        +1 416 646 3304 x4110

More information about the NANOG mailing list