Firewall Wizards mailing list archives
Re: Off topic: Any one know of a good IPV6 reference book?
From: Paul Robertson <proberts () patriot net>
Date: Wed, 30 Jul 2003 20:23:33 -0400 (EDT)
On Wed, 30 Jul 2003, Crispin Cowan wrote:
That would solve a lot of issues for secure networks.I really believe that IP crypto does not actually solve any significant security problem in a compelling or useful manner.If every single packet had an authentic source IP address, then DDoS problems would be much easier to manage.
Crypto doesn't solve that problem though- the initial packet still needs to come from somewhere, and is spoofable. Ubiquitous outbound anti-spoofing rules would be *much* more effective. For instance, if non-ISP images of IOS had to be configured with "Vaid originating network addresses," we'd have a darned good start[1].
Caveat: not to say that IPSec or IPv6 are particularly good or bad ways to get authentic source IP addresses. Just a counterpoint to MJR's claim.
They only help for subsequent packets, not for the initial ones, so floods are still possible. Since v6 doesn't mandate crypto, it's really pretty moot. Also, these days, with the advent of large Botnets, I'm not all that sure that not forging the sources makes it all that much more of a bar, and all that extra crypto leaves room for new DoS vectors. Paul [1] Not to pick on any single vendor, but with their market share, I think if we had 75% of their leaf node routers configured thusly, DDoS by spoofing would be a done deal, *and* infections would be easier to spot. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Off topic: Any one know of a good IPV6 reference book? Marcus J. Ranum (Jul 30)
- Re: Off topic: Any one know of a good IPV6 reference book? Crispin Cowan (Jul 30)
- Re: Off topic: Any one know of a good IPV6 reference book? Paul Robertson (Jul 30)
- Message not available
- Re: Off topic: Any one know of a good IPV6 reference book? Marcus J. Ranum (Jul 31)
- Re: Off topic: Any one know of a good IPV6 reference book? Crispin Cowan (Jul 30)
- Re: Off topic: Any one know of a good IPV6 reference book? David Wagner (Jul 31)
- Re: Off topic: Any one know of a good IPV6 reference book? Dave Piscitello (Jul 31)
- Re: Off topic: Any one know of a good IPV6 reference book? Marcus J. Ranum (Jul 31)