[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PI/metro/geo [Re: The state of IPv6 multihoming development]
On Tuesday, Nov 5, 2002, at 10:54 America/Montreal, Iljitsch van
TCP connection hijacking relies on this ability to perform a
Forging IP addresses is easy in one direction. But 1. receiving the
packets that are sent back and 2. shutting up the real destination
aren't as easy, but those are also necessary to successfully engage in
attack. It is a long-standing threat and it isn't that hard to engage
See papers by Bellovin and others dating back to maybe 1988 for more.
but no one does because DNSsec is not deployed (and there are
of how deployable it is).
If you use SSL there is no need for the DNS replies to be 100% reliable
anyway as forging DNS information just becomes a very elaborate DoS
SSL is not a general solution. Consider UDP-based applications or
routing protocols such as OSPF -- neither of which is helped one iota