[LACNIC/Seguridad] [lacnog] Thomas Ptacek: Against DNSSEC

[Fernando Gont]

Diego,

On 01/26/2016 07:28 PM, Espinoza Sanchez, Luis Diego wrote:
> Mis ¢2 
> 1 - Creo que la seguridad basada en defensa por capas, no ha pasado de
> moda, así como las organizaciones tienen un firewall, también aseguran
> los servidores en si mismos y las aplicaciones, así como todo lo
> relacionado con el acceso lógico y físico, aunque exista firewall.  En
> este caso, DNSSEC lo pueden ver como una capa mas de seguridad. 

Yo creo que el concepto es diferente. Uno puede, en general, pensar en
seguridad en capaz como distintas formas de proteger la misma cosa (con
distintos costos, etc.).

Por ej., en
<https://tools.ietf.org/html/draft-gont-opsawg-firewalls-analysis-01>,
decimos:

3.1.  The Role of Firewalls in Internet Security

   One could compare the role of firewalls in prophylactic perimeter
   security to that of the human skin: the service that the skin
   performs for the rest of the body is to keep common crud out, and as
   a result prevent much damage and infection that could otherwise
   occur.  The body supplies prophylactic perimeter security for itself
   and then presumes that the security perimeter has been breached; real
   defenses against attacks on the body include powerful systems that
   detect changes (anomalies) counterproductive to human health, and
   recognizable attack syndromes such as common or recently-seen
   diseases.  One might well ask, in view of those superior defenses,
   whether there is any value in the skin at all; the value is easily
   stated, however.  It is not in preventing the need for the stronger
   solutions, but in making their expensive invocation less needful and
   more focused.

El argumento acá es que autentificar el mapeo nombre -> IP en realidad
no esta brindando ninguna proteccion extra real.

-- 
Fernando Gont
SI6 Networks
e-mail: fgont en si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492