[ntp:questions] Re: restrict lines
brad at stop.mail-abuse.org
Tue Mar 15 02:31:43 UTC 2005
At 5:28 PM -0800 2005-03-14, David Schwartz wrote:
>> Okay, go fix the entire Internet, then. Please report back when you're
> That's exactly what needs to be done, and that's exactly what *is* being
Not really, no. Go read kc claffy's various reports to IETF,
ICANN, and other organizations over the years. The situations I've
described have been known for years, and haven't changed very much in
that time. Yes, some machines get fixed, but more machines come
online that are screwed-up, and they usually more than
counter-balance the machines which have been fixed.
We're fighting a battle here, and we're losing.
Or have you written some papers and books on the subject that
I've missed in my extensive publications survey?
>> Meanwhile, the rest of the world has been learning the lesson over the
>> past decade that name-based security is one of the stupidest ideas ever
> Over no security at all, I'll take it.
Bad idea. The illusion of security is far worse than having no
security when combined with the knowledge that you have no security.
The illusion of security lulls you into complacency, and then you
really get nuked.
At least if you know that you have no clothes, you're going to be
a lot more careful as to who you allow to see you.
We have IP-based security today. This doesn't map well to
name-based server directives. We know this. We're working on a
solution. But it won't by by trying to tack on some bizarre concept
of name-based security in the "restrict" directive.
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the questions