Date: Wed, 29 Sep 1999 23:44:32 +0000 (GMT) From: Terry Lambert <tlambert@primenet.com> To: brett@lariat.org (Brett Glass) Cc: tlambert@primenet.com, alk@pobox.com, gary@eyelab.psy.msu.edu, chat@FreeBSD.ORG Subject: Re: On hub.freebsd.org refusing to talk to dialups Message-ID: <199909292344.QAA09145@usr08.primenet.com> In-Reply-To: <4.2.0.58.19990929112454.047535d0@localhost> from "Brett Glass" at Sep 29, 99 11:35:01 am
next in thread | previous in thread | raw e-mail | index | archive | help
> >"He who would trade liberty for security, deserves neither." > > -- Benjamin Franklin > > The correct quote is: > > "They that can give up essential liberty to obtain a little temporary safety > deserve neither liberty nor safety." Benjamin Franklin Thanks. I was quoting from a fortunes file. > The use of port 25 is not "essential" so long as a mail server is > provided, nor is it "essential" to be able to receive e-mail sent directly > from other ISPs' dial-ins. Freedom from spam brings INCREASED liberty, not > less. It makes life more productive and pleasant, and assures that ISPs' > resources aren't abused, which is a very good thing, IMHO. Your mileage > may vary, of course. This really has little bearing on the point that I was attacking, which was your statement that "Ah, but they're not draconian. Our membership overwhelmingly favored them.". A majority does not the definition of "draconian" make; "draconian" is based on the action, not how favorably the action is received among a sample group. You also seem to be implying that I am somehow "pro SPAM". To my knowledge, I am the only person whose email address was removed from Sanford Wallace's CDROM of email addresses, for my perserverence in following through on the dictum that "to SPAM me is to lose a relay". It costs more money in lost relayability than you could ever hope to get, even if I were stupid enough to buy the product you are SPAM'ming me about. I also made it a point to contact, in writing, the people employing his services to make the point I would not recommend their products, under any circumstances. In one year, I volunteered over 700 hours to help secure open SMTP relays. This as opposed to trying to get those relays into the ORBS or the RBL, or to get their dialup lines into DUL. In short, I engaged in a hell of a lot more constructive (and effective) behaviour than most people have been advocating in this thread. > >Not to mention that they will become inoperational in the face > >of IPv6 stateless autoconfiguration. What will you do then? > > I haven't looked into the issue of what IPv6 might mean to the DUL or > RBL. However, I'm sure that Paul Vixie is. (I wouldn't mind learning > more about the topic myself, as I certainly don't want to give up either > facility when I move to IPv6.) Paul has advocated that reverse addresses not be automatically assigned to such addresses which result from IPv6 stateless autoconfiguration. Others have advocating a huge administrative infrastructure that would result in such addresses being firewalled from sending packets, with explicit stateful configuration. The IPv6 working group (actually IPNGWG) has, understandably, opposed both of these positions. See: http://playground.sun.com/pub/ipng/html/ipng-main.html for detailed information on IPv6. Note that Paul's approach would not stop SPAM via the DUL, but would rather stop it by the reverse lookup returning an error, instead of returning a valid reverse mapping, as a side effect. Most people I've discussed this with (in the DNSIND, DNSOP and DNSSEC working groups) tend to agree that if a host has a valid IP address that is not specifically administratively prohibited from being routed, that the DNS server owning the delegation for the block in which the address resides should allow a DNS update to reflect the machines desired host and domain name. The point is, short of firewalling all such addresses, there is no way to prevent their assignment in an IPv6 network. This was an intended design goal of IPv6. Once assigned, the DNS server owning the delegation for the block in which the address resides is _OBLIGATED_ to provide a reverse mapping, if it allows packets originating from that address to be routed off the network. A correct way of implementing security in the case of deciding whether or not to route packets would be to query the home name server for the machine, and see if the clients certificate was signed with the home servers private key, and if so, allow the entry. Either way, even if you accept the nightmare of administration associated with trying to control everything that it's possible to control (perhaps if someone was so anal retentive that if we shoved a lump of coal up their arse and came back an hour later, we would find a diamond), you really can't implement IPv6 and not allow such updates, if you allow routing at all. The classic case is a laptop from "visitor.com" in an IR-equipped conference room at "example.com" getting an IPv6 address, and wanting a reverse assignment as "laptop01.visitor.com" instead of "visiting-laptop38.example.com". Maybe it needs this to get a VPN connection to access a common installation of "PowerPoint" for a presentation in the conference room; the reason is really irrelevant, so long as there is one valid reason which people may want to do this (and I can think of dozens, including that "example.com" doesn't want administrative responsibility for the laptop from "visitor.com"'s actions). Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909292344.QAA09145>