![nanog logo](/images/nanog-logo.png)
nanog mailing list archives
RE: Smallest Transit MTU
From: "David Schwartz" <davids () webmaster com>
Date: Thu, 30 Dec 2004 20:16:09 -0800
On Thu, 30 Dec 2004 17:42:44 -0800 "David Schwartz" <davids () webmaster com> wrote:
I think you may be fearful that the use of reserved bits introduces a new security risk, because of something a system may do in response to the use of those new fields. That is a very legitimate concern and a very real potential risk. I guess in my view of the world, in practical terms, we're not likely to see an experimental protocol start getting widely deployed and then suddenly discover that we have a major security threat on our hands that we cannot easily fix before it brings the net to a complete halt. At least not since the publication of RFC 793. :-)
The point is one of when you make the decision to allow the new protocol. Your opinion is, though I'm sure you wouldn't put it this way, before you even know anything about it. My opinion is that it should be made when you have enough information to know whether you want to allow it or not. We might be able to agree that those who need the additional level of security of blocking unknown, reserved bits should also be able to supply the additional level of cluefulness to maintain that configuration. And I might be willing to admit that commodity firewalls should not assume operational cluefulness by default.
I think the concept of reserved fields is a relatively well accepted practice in computing by now. Security is important, but we cannot allow security concerns to completely halt progress. It just may be in the interest of security to allow this kind of experimentation to occur.
Sure, as a considered decision made on a case by case basis, at least for those clueful enough to make such a decision and concerned enough to attempt to do so.
IMO, it's negligent to configure a firewall to pass traffic whose meaning is not known.
That means no end host to end host encryption that the network firewall cannot understand.
This might be allowed on a case-by-case basis. But it definitely should not be allowed by default except for specific cases where it's decided that the benefits outweigh the risks.
...and for anyone else who likes to block unknown bits, then don't let me see or hear you complain about how the net sucks, because you are not letting it evolve so that it can be fixed. :-)
Of course you have no right to complain if traffic you chose to block causes you to be unable to interoperate. And you do have a right to complain if your vendor's default firewall configuration forces you to have a higher level of cluefulness than a more sensible default configuration might have required. The insoluble (I fear) problem is simply that people don't maintain their filters. And auto-updating your filters on someone else's say so isn't a reasonable solution. People often won't update if they don't personally see the problem, and you don't usually see the traffic you don't get and don't understand. DS
Current thread:
- Re: Smallest Transit MTU, (continued)
- Re: Smallest Transit MTU Joe Abley (Dec 29)
- Re: Smallest Transit MTU Iljitsch van Beijnum (Dec 29)
- Re: Smallest Transit MTU Edward B. Dreger (Dec 29)
- Re: Smallest Transit MTU Iljitsch van Beijnum (Dec 29)
- Re: Smallest Transit MTU Dan Hollis (Dec 29)
- Re: Smallest Transit MTU Dan Hollis (Dec 29)
- Re: Smallest Transit MTU Robert E . Seastrom (Dec 30)
- Re: Smallest Transit MTU John Kristoff (Dec 30)
- RE: Smallest Transit MTU David Schwartz (Dec 30)
- Re: Smallest Transit MTU John Kristoff (Dec 30)
- RE: Smallest Transit MTU David Schwartz (Dec 30)
- Re: Smallest Transit MTU Robert E . Seastrom (Dec 30)
- Re: Smallest Transit MTU John Kristoff (Dec 30)
- Re: Smallest Transit MTU Robert E . Seastrom (Dec 31)
- Re: Smallest Transit MTU Robert E . Seastrom (Dec 30)
- RE: Smallest Transit MTU Scott Weeks (Dec 30)
- RE: Smallest Transit MTU Matthew Kaufman (Dec 30)
- RE: Smallest Transit MTU David Schwartz (Dec 30)
- Re: Smallest Transit MTU Valdis . Kletnieks (Dec 30)