Re: [Infowarrior] - China's Great Firewall spreads overseas

[Dan Kaminsky <dan () doxpara com>]

On Mon, Mar 29, 2010 at 12:16 PM, RL Vaughn <rl_vaughn () baylor edu> wrote:

> On 3/29/10 9:53 AM, Valdis.Kletnieks () vt edu wrote:
> >
> http://www.computerworld.com/s/article/9174132/China_s_Great_Firewall_spreads_overseas
> > So was this a DNS or BGP issue? The reporter appears to be confused, or
> > was it the Arbor Networks talking head?
> It was a DNS issue.  One host in i-root was providing incorrect answers.
> The reason for those incorrect answers is unknown but the solution was
> to remove the responsible host from the i-root anycast.

Anycast, of course, being a BGP technology that multihomes a single IP
across multiple locations, exposing the "fastest endpoint" as per BGP
calculations to any node on the net.  So it's both DNS and BGP.

The larger issue, which I guess nobody wants to talk about, is that the
Internet is very much designed to be flat along certain dimensions.  Anycast
itself is a bit of a hack against that -- the same IP is not actually the
same endpoint globally -- but at least presumably the backing organization
behind the IP is supposed to be constant.  Even enterprise level filtering
does not violate this rule, because enterprises are *endpoints* and not
*routing nodes* on the net.

Scaling this sort of operation past the enterprise has scoping issues, that
ultimately, predictably, and unfixably lead to network instability.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.