On 10/21/2013 11:04 AM, Colm MacCárthaigh wrote: >> remembering that the vulnerabilities you are reporting and the >> workarounds you're recommending will be judged according to >> engineering economics. if we assume that dnssec is practical on a >> wide enough scale that it could prevent the vulnerabilities you >> are reporting on, then your work is of mainly academic interest. >> as vernon said earlier today, none of the vulnerabilities you are >> reporting on have been seen in use. i also agree with vernon's >> assessment that none of them will ever be seen in use. > > Back before Kaminsky made the need for port-randominsation undeniable > with an actual working PoC, this sounds like the ISC/Bind response to > port randomisation attacks. Other implementors and operators made a > better judgement avoided the problem entirely, taking the cautious > path.
Then ISC/BIND response to Kaminsky in 2008 was to burn perhaps 50% of the company's product-wide development and support resources over that year to co-ordinating, fixing, disclosing, patching, releasing and evangelizing the solution to the problem. While at the time it felt to us like great public benefit work was being done for the community, even by the end of that year it was becoming clear it was not a particularly great business decision. Applying the same 5-years' now-outside hindsight to this, the benefits of all that port randomization work seem murky at best - does anyone have data on many real Kaminsky cache-poisoning attacks took place in that time ? The Herzberg/Shulman attacks seem even harder to exploit in a real (as opposed to la) environment Disclosing such potential vulnerabilities remains valuable work, but I think careful consideration needs to be applied to the engineering economics of the best operational-world mitigation approaches. Keith _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
