Home page logo

nanog logo nanog mailing list archives

From: John Fraizer <nanog () Overkill EnterZone Net>
Date: Mon, 14 May 2001 04:32:45 -0400 (EDT)

On Mon, 14 May 2001, Roeland Meyer whimpered:

From: Adam McKenna [mailto:adam () flounder net]
Sent: Sunday, May 13, 2001 10:06 PM

Oracle (try and build a DB without reverse working right. 
Net8 stops you
dead in your tracks).

Sorry, but this is just 100% wrong.  I've set up Oracle on 
many boxes and you
don't need any DNS at all to set up an oracle DB.  In fact, I 
tell our DBA's
to use IP addresses in their TNSNAMES.ORA files because I 
don't want the DB
depending on DNS.

Let's see, I don't want to make my DBs dependent on DNS, so I use IP addrs.
Yet, I can't depend on IP addrs because my upstream might have to be
changed... damn, I shouldn't have depended on my scumbag DSL upstream, eh?
Gee, maybe I should have had a names based system after all? Either way, I
wind up having to rebuild Oracle boxen and application servers, every time
somebody farts. Just what in blue hell are we supposed to do?

Um, lets see...how about this.  You use NAT.  That'll be $180.00 please.  
I'll send you an invoice.

BTW, the last I checked SSL certs are usually names based. Pretty slack
security, eh?

Slack, no. You're comparing apples to oranges here and HOPEFULLY, you know
it.  Basing security on IN-ADDR is absolutely idiotic.  It is VERY easy to
spoof and there's not a damned thing you can do to stop the spoofing.  
Basing security on IP addresses on the other hand is while not a complete
security solution, MUCH MORE SOUND than IN-ADDR.  You can at least build
ACLs in your router(s) that don't allow spoofed traffic to enter your
network.  Now, about the SSL security thing. SSL certification is designed
to certify the identity of the server and that identity is based on the
FQDN.  SSL CERTs are around for the PRECISE reason that it is too easy to
spoof IN-ADDR, etc.

This is right on up there with: 
1) You idiot DSL monkey, you deserve your Inet death because you didn't
2) No, you can't advertise less than a /20.
3) No, you don't deserve larger than a /32.
4) Yes, we know that makes multi-homing impossible for those that need it
the most.
5) No, we don't care, you idiot DSL monkeys deserve Inet death.

Yeah, the message you send out is real clear.
... and one wonders why the Internet has an implosion problem...

And that's right up there with "<plonk!> me please!  I'm an idiot DSL
monkey!  WAAAAAAAAAA!  My DSL provider went tits-up and I hadn't built any
contengency plan.  I'm going to go bankrupt!  WAAAAAAAAA!"

You got caught with your pants down.  It's that simple.  You're not alone.  
A whole slew of folks went through (or are going through) the same thing.  
The difference is that the VAST MAJORITY of them are NOT bitching and
moaning about it on NANOG about it.


If your business depends (depended) on stable and reliable internet
connectivity with your own (or at least non-changing) address space, might
I suggest that you should have gone to ARIN for a microblock of address
space and established a contengency plan with some other provider(s) in
the event that the sky fell?

Internet implosion at 10:00 ... special web report, at 11:00.

John Fraizer
EnterZone, Inc

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]