> regarding actually *using* names rather than numbers, there are some
> low-value services that perhaps names are appropriate for, in general:
> e.g. access to outward-only proxies or low value services, or services
> which use other forms of authentication (e.g. encryption).
>
> regarding whether internal DNS servers are susceptible to attack: in
> some environments they can be attacked by insiders not all of whom are
> trustworthy, but my point was mostly directed at engineering for
> reliability -- one would hope a firewall would not need to rely on n
> other computers also being up for it to do its job correctly.
>
....
>
> I guess not. What kind of firewall technology are you using that
> embeds IP addresses/names all over the place and doesn't let you change
> them easily?
> I welcome the demise of /etc/hosts.
>
> mark seiden, mis @
seiden .
com, 1-(415) 592 8559 (voice)
Interesting discussion. There is a group of people over there ->
that are discussing the ramifications of periodic renumbering
of infrastructure components. The basic premise is that
renumbering of infrastructure will become more prevelent
as the Internet grows. (discussions on the validity of this
premise are for private email to me)
The end result is that the use of dotted quads as persistant
identifiers will become greatly reduced. There will be an
increasing dependence on services like DNS and DHCP to
have enabled infrastructure.
If you have some thoughts on the scope of changes that this
will bring to the trust model on which current firewalls are
built, your comments are encouraged.
general list - pier-request @
isi .
edu
Dave O'Leary - doleary @
cisco .
com
Howard C. Berkowitz - hcb @
mail .
clark .
net
http://www.isi.edu/div7/pier the papers link.
--bill
|
|
