Re: tcp.invited_nodes
From: Frank van Bortel <fbortel_at_home.nl>
Date: Sat, 03 Jul 2010 15:43:05 +0200
Message-ID: <61db7$4c2f3e69$524ba3af$13448_at_cache5.tilbu1.nb.home.nl>
On 06/29/2010 10:42 PM, Mladen Gogala wrote:
> On Tue, 29 Jun 2010 21:18:16 +0200, Frank van Bortel wrote:
>
>> On 06/29/2010 08:39 PM, ddf wrote:
>>> On Jun 29, 2:01 pm, Chuck<chuckh1958_nos..._at_gmail.com> wrote:
>>>> When using this parameter in sqlnet.ora, and specifying host names,
>>>> are there any checks performed to see if a hostname has been spoofed?
>>>> Perhaps comparing the client's IP with a DNS lookup of the host name?
>>>
>>> No. The list is used 'as-is' without any verification via DNS lookup.
>>>
>>>
>>> David Fitzjarrell
>>
>> Not quite, David.
>>
>> I cannot recall what exactly was the matter, but I have had one instance
>> where the listener would not start because one of the clients mentioned
>> do longer existed.
>> Not sure if it was a DNS lookup to find the IP-address, or the reverse
>> (and the IP-address (DHCP!) was no longer available).
>>
>> Quite horrible if that's a production system, because you will have to
>> go through each and every name (in case of DHCP clients) or IP-address
>> (servers)
>
> Based on my experience, it's far easier to block the undesired clients by
> using the firewall rules than by using validnode checking. This feature
> is useless.
>
Date: Sat, 03 Jul 2010 15:43:05 +0200
Message-ID: <61db7$4c2f3e69$524ba3af$13448_at_cache5.tilbu1.nb.home.nl>
On 06/29/2010 10:42 PM, Mladen Gogala wrote:
> On Tue, 29 Jun 2010 21:18:16 +0200, Frank van Bortel wrote:
>
>> On 06/29/2010 08:39 PM, ddf wrote:
>>> On Jun 29, 2:01 pm, Chuck<chuckh1958_nos..._at_gmail.com> wrote:
>>>> When using this parameter in sqlnet.ora, and specifying host names,
>>>> are there any checks performed to see if a hostname has been spoofed?
>>>> Perhaps comparing the client's IP with a DNS lookup of the host name?
>>>
>>> No. The list is used 'as-is' without any verification via DNS lookup.
>>>
>>>
>>> David Fitzjarrell
>>
>> Not quite, David.
>>
>> I cannot recall what exactly was the matter, but I have had one instance
>> where the listener would not start because one of the clients mentioned
>> do longer existed.
>> Not sure if it was a DNS lookup to find the IP-address, or the reverse
>> (and the IP-address (DHCP!) was no longer available).
>>
>> Quite horrible if that's a production system, because you will have to
>> go through each and every name (in case of DHCP clients) or IP-address
>> (servers)
>
> Based on my experience, it's far easier to block the undesired clients by
> using the firewall rules than by using validnode checking. This feature
> is useless.
>
Not if you're internal - no firewall between client and server, not in that direction anyway
-- Regards, Frank van BortelReceived on Sat Jul 03 2010 - 08:43:05 CDT