nanog mailing list archives
Re: IAB concerns against permanent deployment of edge-based filtering
From: Eliot Lear <lear () cisco com>
Date: Sat, 18 Oct 2003 13:34:24 -0700
Valdis hits the nail on the head. And this boils down to something that I believe is attributable to someone commenting on the old FSP protocol, perhaps Erik Fair:
The Internet routes around damage.Damage can take the form of a broken link, or it can take the form of an access-list. In the early '90s, NASA attempted to protect its links from "unauthorized use" (which in this particular case was porn). That caused a whole protocol to be developed (proving the old adage). Well, nowadays you don't even need to build a whole protocol- you can just use HTTP.
And that was the point of Keith's & Ned's RFC on HTTP as a substrate. Excessive restrictions in firewalls bring about this use, and that makes the HTTP implementations fairly complex, and it will subvert the intentions of network administrators.
So as a temporary measure during an active attack, access-lists make sense. Over the long haul, however, unless you're going to block downstream TCP packets with SYN only and ALL OTHER TRAFFIC, IP can run on just about anything.
Eliot Valdis.Kletnieks () vt edu wrote:
On Sat, 18 Oct 2003 11:14:42 PDT, bmanning () karoshi com said:There is a real danger that long-term continued blocking will lead to "everything on one port"fair amount of handwaving there.Question: Why was RFC3093 published? (Think(*) for a bit here...) About a month later, there was a *major* flame-fest on the IETF list due to this message: http://www.ietf.org/mail-archive/ietf/Current/msg11918.html Yes, the basic reason for this proposal was because many firewalls will pass HTTP but not BEEP. What major P2P applications have included a "run over port 80" option to let themselves through firewalls? It's not just handwaving. (*) Remember - satire isn't funny if it isn't about something recognizable...
Current thread:
- IAB concerns against permanent deployment of edge-based filtering Jun-ichiro itojun Hagino (Oct 18)
- Re: IAB concerns against permanent deployment of edge-based filtering bmanning (Oct 18)
- Re: IAB concerns against permanent deployment of edge-based filtering Randy Bush (Oct 18)
- Re: IAB concerns against permanent deployment of edge-based filtering Leo Bicknell (Oct 18)
- Re: IAB concerns against permanent deployment of edge-based filtering Eric Gauthier (Oct 18)
- Re: IAB concerns against permanent deployment of edge-based filtering Leo Bicknell (Oct 18)
- Re: IAB concerns against permanent deployment of edge-based filtering bmanning (Oct 18)
- Re: IAB concerns against permanent deployment of edge-based filtering Valdis . Kletnieks (Oct 18)
- Re: IAB concerns against permanent deployment of edge-based filtering bmanning (Oct 18)
- Re: IAB concerns against permanent deployment of edge-based filtering Eliot Lear (Oct 18)
- Re: IAB concerns against permanent deployment of edge-based filtering E.B. Dreger (Oct 18)
- Re: IAB concerns against permanent deployment of edge-based filtering Randy Bush (Oct 19)
- Re: IAB concerns against permanent deployment of edge-based filtering bmanning (Oct 20)
- Re: IAB concerns against permanent deployment of edge-based filtering Randy Bush (Oct 20)
- Re: IAB concerns against permanent deployment of edge-based filtering Stephane Bortzmeyer (Oct 20)
- Re: IAB concerns against permanent deployment of edge-based filtering Owen DeLong (Oct 20)
- Re: IAB concerns against permanent deployment of edge-based filtering Howard C. Berkowitz (Oct 20)
- Re: IAB concerns against permanent deployment of edge-based filtering bmanning (Oct 18)
- Re: IAB concerns against permanent deployment of edge-based filtering Pekka Savola (Oct 18)
- <Possible follow-ups>
- Re: IAB concerns against permanent deployment of edge-based filtering bmanning (Oct 18)