Re: Help with SPF

["Ge' Weijers" <ge () progressive-systems com>]

On Tue, May 04, 1999 at 11:54:33AM -0400, carson () tla org wrote:
> > > > > > "Fred" == Frederick M Avolio <fred () avolio com> writes:
>
> Fred> Any IP service can be supported through a SPF.
>
> With 2 caveats:
>
> - You may have to support it in an insecure fashion, due to crypto obscuring
> the protocol.

Or obscurantism like the payload being encoded using ASN.1 or Roman
Numerals, and it's the SPF's task to dig through all of it to find
additional ports to open. Imagine maintaining enough state to track
this stuff in a stateful packet filter..... You'd end up building an
LALR(k) parser or something similar to do your matching.

> Of course, _someday_ one of my vendors will get tired of me nagging them for
> geographically diverse state sharing, and finally will be willing to sell it
> to me :)

It's probably simpler and cheaper in the long run to fix the unsafe
protocols we're currently using, than to add more and more complexity
to firewalls.

> -- 
> Carson Gaspar -- carson () cs columbia edu carson () tla org carson () cugc org
> http://www.cs.columbia.edu/~carson/home.html
> Queen Trapped in a Butch Body

-- 
-
Ge' Weijers                                Voice: (614)326 4600
Progressive Systems, Inc.                    FAX: (614)326 4601
2000 West Henderson Rd. Suite 400, Columbus OH 43220