nanog mailing list archives

Re: Smallest Transit MTU

From: John Kristoff <jtk () northwestern edu>
Date: Thu, 30 Dec 2004 21:31:01 -0600


On Thu, 30 Dec 2004 17:42:44 -0800
"David Schwartz" <davids () webmaster com> wrote:

      I, for one, do not agree. End hosts and firewalls *should* reject
all traffic they don't understand. It's precisely to prevent our
unintentional participation (as end hosts) in such 'experiments' that
we deploy such filters. The problem is when the policies are not
maintained (or are

[...]

If everyone actually did that, it would make upgrades to lots of
things very interesting.  We'd have to rely on the initial design
and implementation being close to or at perfection for now and
long into the future.

If you do not upgrade or configure your systems to understand the new
use of previously reserved bits then in the typical case you would
silently ignore those bits and things would just continue to work in
the way you were used to.  Most people designing ways to make use of
reserved bits in Internet protocols these days I think understand
backwards compatibility is often a requirement.

I think you may be fearful that the use of reserved bits introduces
a new security risk, because of something a system may do in response
to the use of those new fields.  That is a very legitimate concern
and a very real potential risk.  I guess in my view of the world, in
practical terms, we're not likely to see an experimental protocol
start getting widely deployed and then suddenly discover that we have
a major security threat on our hands that we cannot easily fix before
it brings the net to a complete halt.  At least not since the
publication of RFC 793.  :-)

I think the concept of reserved fields is a relatively well accepted
practice in computing by now.  Security is important, but we cannot
allow security concerns to completely halt progress.  It just may be
in the interest of security to allow this kind of experimentation to
occur.

      IMO, it's negligent to configure a firewall to pass traffic
whose meaning is not known.


That means no end host to end host encryption that the network
firewall cannot understand.

...and for anyone else who likes to block unknown bits, then don't
let me see or hear you complain about how the net sucks, because you
are not letting it evolve so that it can be fixed.  :-)

John

Current thread:

Re: Smallest Transit MTU, (continued)
- - - Re: Smallest Transit MTU Iljitsch van Beijnum (Dec 29)
    - Re: Smallest Transit MTU Joe Abley (Dec 29)
    - Re: Smallest Transit MTU Iljitsch van Beijnum (Dec 29)
    - Re: Smallest Transit MTU Edward B. Dreger (Dec 29)
- Re: Smallest Transit MTU Iljitsch van Beijnum (Dec 29)
- Re: Smallest Transit MTU Dan Hollis (Dec 29)
- Re: Smallest Transit MTU Dan Hollis (Dec 29)
  - Re: Smallest Transit MTU Robert E . Seastrom (Dec 30)
    - Re: Smallest Transit MTU John Kristoff (Dec 30)
    - RE: Smallest Transit MTU David Schwartz (Dec 30)
    - Re: Smallest Transit MTU John Kristoff (Dec 30)
    - RE: Smallest Transit MTU David Schwartz (Dec 30)
    - Re: Smallest Transit MTU Robert E . Seastrom (Dec 30)
    - Re: Smallest Transit MTU John Kristoff (Dec 30)
    - Re: Smallest Transit MTU Robert E . Seastrom (Dec 31)
    - RE: Smallest Transit MTU Scott Weeks (Dec 30)
    - RE: Smallest Transit MTU Matthew Kaufman (Dec 30)
    - RE: Smallest Transit MTU David Schwartz (Dec 30)
    - Re: Smallest Transit MTU Valdis . Kletnieks (Dec 30)
- Re: Smallest Transit MTU Dan Hollis (Dec 30)
- Re: Smallest Transit MTU J. Oquendo (Dec 30)

(Thread continues...)