RE: Smallest Transit MTU

["David Schwartz" <davids () webmaster com>]

> On Thu, 30 Dec 2004 17:42:44 -0800
> "David Schwartz" <davids () webmaster com> wrote:

> I think you may be fearful that the use of reserved bits introduces
> a new security risk, because of something a system may do in response
> to the use of those new fields.  That is a very legitimate concern
> and a very real potential risk.  I guess in my view of the world, in
> practical terms, we're not likely to see an experimental protocol
> start getting widely deployed and then suddenly discover that we have
> a major security threat on our hands that we cannot easily fix before
> it brings the net to a complete halt.  At least not since the
> publication of RFC 793.  :-)

        The point is one of when you make the decision to allow the new protocol.
Your opinion is, though I'm sure you wouldn't put it this way, before you
even know anything about it. My opinion is that it should be made when you
have enough information to know whether you want to allow it or not.

        We might be able to agree that those who need the additional level of
security of blocking unknown, reserved bits should also be able to supply
the additional level of cluefulness to maintain that configuration. And I
might be willing to admit that commodity firewalls should not assume
operational cluefulness by default.

> I think the concept of reserved fields is a relatively well accepted
> practice in computing by now.  Security is important, but we cannot
> allow security concerns to completely halt progress.  It just may be
> in the interest of security to allow this kind of experimentation to
> occur.

        Sure, as a considered decision made on a case by case basis, at least for
those clueful enough to make such a decision and concerned enough to attempt
to do so.

> >     IMO, it's negligent to configure a firewall to pass traffic
> > whose meaning is not known.

> That means no end host to end host encryption that the network
> firewall cannot understand.

        This might be allowed on a case-by-case basis. But it definitely should not
be allowed by default except for specific cases where it's decided that the
benefits outweigh the risks.

> ...and for anyone else who likes to block unknown bits, then don't
> let me see or hear you complain about how the net sucks, because you
> are not letting it evolve so that it can be fixed.  :-)

        Of course you have no right to complain if traffic you chose to block
causes you to be unable to interoperate. And you do have a right to complain
if your vendor's default firewall configuration forces you to have a higher
level of cluefulness than a more sensible default configuration might have
required.

        The insoluble (I fear) problem is simply that people don't maintain their
filters. And auto-updating your filters on someone else's say so isn't a
reasonable solution. People often won't update if they don't personally see
the problem, and you don't usually see the traffic you don't get and don't
understand.

        DS