[ntp:questions] Re: restrict lines

Brad Knowles brad at stop.mail-abuse.org
Tue Mar 15 02:31:43 UTC 2005


At 5:28 PM -0800 2005-03-14, David Schwartz wrote:

>>  Okay, go fix the entire Internet, then.  Please report back when you're
>>  done.
>
>      That's exactly what needs to be done, and that's exactly what *is* being
>  done.

	Not really, no.  Go read kc claffy's various reports to IETF, 
ICANN, and other organizations over the years.  The situations I've 
described have been known for years, and haven't changed very much in 
that time.  Yes, some machines get fixed, but more machines come 
online that are screwed-up, and they usually more than 
counter-balance the machines which have been fixed.

	We're fighting a battle here, and we're losing.


	Or have you written some papers and books on the subject that 
I've missed in my extensive publications survey?

>>  Meanwhile, the rest of the world has been learning the lesson over the
>>  past decade that name-based security is one of the stupidest ideas ever
>>  invented.
>
>      Over no security at all, I'll take it.

	Bad idea.  The illusion of security is far worse than having no 
security when combined with the knowledge that you have no security. 
The illusion of security lulls you into complacency, and then you 
really get nuked.

	At least if you know that you have no clothes, you're going to be 
a lot more careful as to who you allow to see you.



	We have IP-based security today.  This doesn't map well to 
name-based server directives.  We know this.  We're working on a 
solution.  But it won't by by trying to tack on some bizarre concept 
of name-based security in the "restrict" directive.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.



More information about the questions mailing list