Re: Arguing against using public IP space

[Owen DeLong <owen () delong com>]

Sent from my iPad

On Nov 15, 2011, at 4:10 PM, Jay Ashworth <jra () baylink com> wrote:

> ----- Original Message -----
> > From: "Owen DeLong" <owen () delong com>
>
> > If your firewall is not working, it should not be passing packets.
>
> Yes; your arguments all seem to depend on that property being true.
>
> But we call it a *failure* for a reason, Owen.  

If your firewall has failed to such an extent, all bets are off about what it does or does not pas regardless of 
whether or not it mutilates the headers.

> What the probability is of a firewall failing in such a fashion as to *stop
> filtering, but still pass packets* depends -- as you have pointed out -- 
> entirely on its design.
>
> As *I* have pointed out, not all firewalls are created equal, and there are
> a helluva a lot of them out there for which this desirable property *simply
> is not true*.

Then I would, by definition call them routers, not firewalls.

> Sticking your head in the sand on this point is not especially productive.

I'm not sticking my head in the sand about anything. I am pointing out that mutilating the packet header only reduces 
security. It does not improve it.

Owen