Firewall Wizards mailing list archives
Re: A fun smackdown...
From: Chuck Swiger <chuck () codefab com>
Date: Sat, 21 May 2005 12:25:13 -0400
On May 20, 2005, at 10:02 PM, Marcus J. Ranum wrote:
How about excessive ICMP filtering breaking path MTU discovery?Another perfect example of a bunch of egg-heads in the IETF coming up with a mechanism for doing something that completely ignored existing implementations of security systems - and breaks as a result. The PMTU discovery mechanism, using ICMP, was moronic design from the get-go.
I could care less whether a firewall breaks PMTU discovery to someone's accounting machine or to the control and monitoring systems at the local power planet, because I and other legitimate users are never going to talk to such systems, and because such machines very probably should not be Internet-routable to begin with.
By definition, the IETF is concerned with systems which interoperate over public networks using network-wide conventions and publicly documented standards. What people do with private machines or private networks is up to them, at least so long as they *don't* connect those machines to the Internet. However, when someone publishes an MX record, or sets up www.company.com in the DNS, they are choosing to interact with the rest of the Internet.
A firewall which breaks ESMTP, or HTTP/1.1, or PMTUD to such machines (typically in a DMZ) significantly impacts legitimate access with questionable gains at best for security, and IMHO is a poor tradeoff. You shouldn't be putting the crown jewels on a DMZ host to begin with.
And as for PMTUD, I'd be happy to see a better solution for MTU discovery, short of depending on all intermediate routers to handle IP fragmentation in an efficient and sane fashion. Do you have something better, Marcus...?
-- -Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: A fun smackdown..., (continued)
- Re: A fun smackdown... Martin (May 17)
- Re: A fun smackdown... Paul D. Robertson (May 19)
- RE: A fun smackdown... Ben Nagy (May 19)
- Re: A fun smackdown... Chuck Swiger (May 19)
- Re: A fun smackdown... Paul D. Robertson (May 19)
- Re: A fun smackdown... Chuck Swiger (May 19)
- Re: A fun smackdown... Paul D. Robertson (May 19)
- Re: A fun smackdown... Devdas Bhagat (May 19)
- Re: A fun smackdown... Paul D. Robertson (May 19)
- Re: A fun smackdown... Marcus J. Ranum (May 20)
- Re: A fun smackdown... Chuck Swiger (May 21)
- Re: A fun smackdown... Marcus J. Ranum (May 21)
- Re: A fun smackdown... Chuck Swiger (May 21)
- Re: A fun smackdown... Marcus J. Ranum (May 21)
- Re: A fun smackdown... Chuck Swiger (May 21)
- Re: A fun smackdown... Adam Shostack (May 21)
- Re: A fun smackdown... Martin (May 17)
- Re: A fun smackdown... Ryan McBride (May 21)
- Re: A fun smackdown... Marcus J. Ranum (May 21)
- Re: A fun smackdown... Steven M. Bellovin (May 21)
- Re: A fun smackdown... Marcus J. Ranum (May 21)
- Re: A fun smackdown... Don Kendrick (May 24)