Reverse DNS RFCs and Recommendations

• Previous message (by thread): Reverse DNS RFCs and Recommendations
• Next message (by thread): Reverse DNS RFCs and Recommendations
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <527459C4.5000308 at necom830.hpcl.titech.ac.jp>, Masataka Ohta writes:
> Mark Andrews wrote:
> 
> >>>> It is a lot simpler and a lot more practical just to
> >>>> use shared secret between a CPE and a ISP's name server
> >>>> for TSIG generation.
> >>>
> >>> No it isn't.  It requires a human to transfer the secret to the CPE
> >>> device or to register the secret with the ISP.
> >>
> >> Not necessarily. When the CPE is configured through DHCP (or
> >> PPP?), the ISP can send the secret.
> > 
> > Which can be seen, in many cases, by other parties
> 
> Who can see the packets sent from the local ISP to the CPE
> directly connected to the ISP?

The dhcpd traffic coming in over the cable modem and you want to
send secrets in the clear over a channel like this.

bsdi# tcpdump -n -i sis0 port bootpc
tcpdump: listening on sis0
15:05:15.637252 10.72.0.1.67 > 255.255.255.255.68:  hops:1 xid:0xc58c07ae flags:0x8000 Y:122.106.168.231 G:10.72.0.1 ether 0:1d:9:81:64:ba [|bootp]
15:05:15.650590 10.72.0.1.67 > 255.255.255.255.68:  hops:1 xid:0xc58c07ae flags:0x8000 Y:122.106.168.231 G:10.72.0.1 ether 0:1d:9:81:64:ba [|bootp]
15:05:34.942619 10.72.0.1.67 > 255.255.255.255.68:  hops:1 xid:0x122cf3bb flags:0x8000 Y:10.72.194.250 S:10.72.0.1 G:10.72.0.1 ether 0:17:ee:4c:f3:74 [|bootp]
15:05:36.975213 10.72.0.1.67 > 255.255.255.255.68:  hops:1 xid:0x122cf3bb secs:2 flags:0x8000 Y:10.72.194.250 S:10.72.0.1 G:10.72.0.1 ether 0:17:ee:4c:f3:74 [|bootp]
15:05:36.992714 10.72.0.1.67 > 255.255.255.255.68:  hops:1 xid:0x122cf3bb secs:2 flags:0x8000 Y:10.72.194.250 S:10.72.0.1 G:10.72.0.1 ether 0:17:ee:4c:f3:74 [|bootp]
15:05:55.931705 10.72.0.1.67 > 255.255.255.255.68:  hops:1 xid:0x732 flags:0x8000 Y:10.72.3.3 S:10.72.0.1 G:10.72.0.1 ether 0:11:1a:19:25:a2 [|bootp]
15:05:57.951400 10.72.0.1.67 > 255.255.255.255.68:  hops:1 xid:0x732 secs:2 flags:0x8000 Y:10.72.3.3 S:10.72.0.1 G:10.72.0.1 ether 0:11:1a:19:25:a2 [|bootp]
15:05:57.964049 10.72.0.1.67 > 255.255.255.255.68:  hops:1 xid:0x732 secs:2 flags:0x8000 Y:10.72.3.3 S:10.72.0.1 G:10.72.0.1 ether 0:11:1a:19:25:a2 [|bootp]
15:05:58.930921 10.72.0.1.67 > 255.255.255.255.68:  hops:1 xid:0xc7dba2af flags:0x8000 Y:122.106.152.0 G:10.72.0.1 ether 0:14:bf:a0:db:c8 [|bootp]
15:06:00.054322 10.72.0.1.67 > 255.255.255.255.68:  hops:1 xid:0xc7dba2b0 flags:0x8000 Y:122.106.152.0 G:10.72.0.1 ether 0:14:bf:a0:db:c8 [|bootp]
15:06:00.068061 10.72.0.1.67 > 255.255.255.255.68:  hops:1 xid:0xc7dba2b0 flags:0x8000 Y:122.106.152.0 G:10.72.0.1 ether 0:14:bf:a0:db:c8 [|bootp]
15:06:08.933232 10.72.0.1.67 > 255.255.255.255.68:  hops:1 xid:0x111fb9c2 flags:0x8000 Y:10.72.23.110 S:10.72.0.1 G:10.72.0.1 ether 0:1a:de:6f:99:e6 [|bootp]
15:06:10.941233 10.72.0.1.67 > 255.255.255.255.68:  hops:1 xid:0x111fb9c2 secs:2 flags:0x8000 Y:10.72.23.110 S:10.72.0.1 G:10.72.0.1 ether 0:1a:de:6f:99:e6 [|bootp]
15:06:10.959519 10.72.0.1.67 > 255.255.255.255.68:  hops:1 xid:0x111fb9c2 secs:2 flags:0x8000 Y:10.72.23.110 S:10.72.0.1 G:10.72.0.1 ether 0:1a:de:6f:99:e6 [|bootp]
^C
10638 packets received by filter
0 packets dropped by kernel
bsdi# 

> If you mind wire tapping, you have other things to worry
> about, which needs your access line encrypted (by a manually
> configured password), which makes DHCP packets invisible.
> 
> 					Masataka Ohta
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

• Previous message (by thread): Reverse DNS RFCs and Recommendations
• Next message (by thread): Reverse DNS RFCs and Recommendations
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]