Firewall Wizards mailing list archives
Re: A fun smackdown...
From: Chuck Swiger <chuck () codefab com>
Date: Sat, 21 May 2005 14:21:39 -0400
On May 21, 2005, at 12:58 PM, Marcus J. Ranum wrote:
Chuck Swiger wrote:By definition, the IETF is concerned with systems which interoperate over public networks using network-wide conventions and publicly documented standards. What people do with private machines or private networks is up to them, at least so long as they *don't* connect those machines to the Internet.You're completely ignoring the fundamental dilemma that I am trying to get you to confront. My position in a nutshell:- "Standards that don't take security into account are not internet-worthy"and you're asserting - "If you don't follow standards you break 'legitimate' traffic" The problem is that, since the standards don't take security into account, the traffic is not 'legitimate' - it's 'dangerous' and a security device can and SHOULD interfere with it.
You've asserted that all standards are useless. You've asserted that standards which do not take security into account are not internet-worthy. You seem to believe that no Internet standard is legitimate and all traffic must be considered dangerous.
Your position is comprehensible but so extreme as to not be especially useful. By analogy:
There is a non-skid surface on the floor of my tub, but I could still break my neck if I slipped, I suppose. Should I worry about this horrible possibility excessively? So much that I forget to lock my front door? It's useful to worry about stuff which is likely to happen, is likely to matter, and is something you can do something useful about, without spending so much effort that the net impact outweighs the loss of productive work.
Maybe the first time someone invents a PMTUD denial of service attack you'll "get it."
People have already played lots of games using ICMP traffic. Rate-limiting ICMP responses and preventing replies to network broadcast addr's to prevent amplification/DoS works pretty well for now.
If I try to talk to www.example.com:80 using DF, I expect that to work. I don't agree that a firewall should block ICMP unreachable messages generated for a connection which would normally be permitted by the security policy. Rate-limit, sure. But not blackhole...
-- -Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: A fun smackdown..., (continued)
- RE: A fun smackdown... Ben Nagy (May 19)
- Re: A fun smackdown... Chuck Swiger (May 19)
- Re: A fun smackdown... Paul D. Robertson (May 19)
- Re: A fun smackdown... Chuck Swiger (May 19)
- Re: A fun smackdown... Paul D. Robertson (May 19)
- Re: A fun smackdown... Devdas Bhagat (May 19)
- Re: A fun smackdown... Paul D. Robertson (May 19)
- Re: A fun smackdown... Marcus J. Ranum (May 20)
- Re: A fun smackdown... Chuck Swiger (May 21)
- Re: A fun smackdown... Marcus J. Ranum (May 21)
- Re: A fun smackdown... Chuck Swiger (May 21)
- Re: A fun smackdown... Marcus J. Ranum (May 21)
- Re: A fun smackdown... Chuck Swiger (May 21)
- Re: A fun smackdown... Adam Shostack (May 21)
- Re: A fun smackdown... Ryan McBride (May 21)
- Re: A fun smackdown... Marcus J. Ranum (May 21)
- Re: A fun smackdown... Steven M. Bellovin (May 21)
- Re: A fun smackdown... Marcus J. Ranum (May 21)
- Re: A fun smackdown... Don Kendrick (May 24)
- Re: A fun smackdown... Paul D. Robertson (May 19)
- Re: A fun smackdown... Chuck Swiger (May 19)