Re: [sig-policy] Returned to SIG: prop-110: Designate 1.2.3.0/24 as Anyc
> As such, I am not saying that a bad network operator could not announce
> 1.2.3.4, and wait for people to use him. I am saying that this is not an
> additional danger, many people already use 8.8.8.8. and 4.4.2.2, for
> example, or OpenDNS.
These are different. As the Google Public DNS and OpenDNS are
maintained by the service operators, and they are responsible to fix
the services if there are any issues. However regarding the prop-110
(1.2.3.0/24), anyone can operate the network as they like - nicely,
badly and even for malicious purpuse.
> And any person deciding to announce 1.2.3.0/24 to the open network, would
> have to face a massive traffic storm anyway. prop-109 by Geoff Huston
> mentions the traffic flowing to certain easily-remembered ranges. Assuming
> that 1.2.3.0/24 gets even 50Mbps of traffic if I announce it to the
> Internet, that is till still an expensive pipe, and probably not worth it
> on the off-chance that a random user will use it and allow "evil me" to
> redirect him to the particular bank that he is a member of, and which I am
> forging a website for.
OK, here is an example. The following report is published by the
cert.br, and regarding their analysis, attackers were serving cache
DNS for 4.5 milion users just to steal bank accounts from the users.
*1) Phishing and Banking Trojan Cases Affecting Brazil, From P.17
- http://www.cert.br/docs/palestras/certbr-firstsymposium2012.pdf
Attackers are patient, know your network, compromise your equipments,
and can use them for evil purposes. We should not create a new
security risk.
> To summarize, there is no ADDITIONAL danger, and there are some advantages
> to this proposal. I would like work on this proposal to continue, and see
> if we can address the concerns raised at the APNIC Meeting.
This is not reliable from user's point of view, and is even danger, I
support dropping the proposal.
Regards,
-----
Matsuzaki Yoshinobu <maz at iij dot ad dot jp>
- IIJ/AS2497 INOC-DBA: 2497*629