Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re DNS spoofing issue discussion
From: Mary and Glenn Everhart <Everhart () gce com>
Date: Thu, 31 Jul 2008 20:29:13 -0400

To: Valdis.Kletnieks () vt edu
Subject: RE: [Full-disclosure] DNS spoofing issue. Thoughts on

I chose my wording to cover not only DNSSEC but possible alternatives
that could be devised. Certs are not the only way to do it, but it
needs to be installed all over.

The BGP fixes were devised after the last meltdown, but question again
is whether they are installed. If DNSSEC had been installed, Kaminsky's 
would not exist.

Since the number of sites running BGP among themselves is not that huge,
it is probably not as practical an attack vector. Last meltdown that
happened was said to be solved largely because most of the BGP site 
knew each other well enough to recognize voices on the phone. Net's bigger
now tho.

The fact that the recent youtube route hijack and the kenya routing 
incidents happened suggests that the md5 security is not in fact in 
place much
(needs predefined secrets installed and apparently people don't configure it
to do anything). That being the case, a reminder that maybe it could be 
good to
reexamine this seems not totally daft.

Glenn Everhart
Everhart () gce com

(posting from home; I am the same one who has posted from work also.)

-----Original Message-----
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu]
Sent: Wednesday, July 30, 2008 11:30 AM
To: Everhart, Glenn (Card Services)
Cc: pschmehl_lists_nada () tx rr com; randallm () fidmail com;
full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] DNS spoofing issue. Thoughts on

On Sun, 27 Jul 2008 14:07:03 EDT, Glenn.Everhart () c<censored>h.a.sx.com said:
The need for something more like ssl certs in there remains

It's called DNSSEC, which has been out for a decade and more.

(Also needed for bgp I suspect).

RFC2385 (TCP MD5 protection for BGP) addresses most of the issues, at least
on a peer-to-peer basis, and has been out for a decade.  There's a 
of the issues in RFC5123.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]