Firewall Wizards mailing list archives

Re: A fun smackdown...

From: Chuck Swiger <chuck () codefab com>
Date: Sat, 21 May 2005 11:48:37 -0400

On May 20, 2005, at 9:57 PM, Marcus J. Ranum wrote:

Chuck Swiger wrote:
You are disagreeing with a design principle from the RFC's whichdiscusses how to create robust software protocols.
The RFCs often used to contain the phrase "this RFC does not address
security." Is that one of those great design principles the IETFuses
to create "robust software protocols"??

Sometimes, yes. I'd rather see an explicit statement that says, "thisis not a secure protocol", then use something which pretends to besecure, yet is not.

The older RFCs-- before 2000 or so-- were a lot more concerned withdefining standards for interoperability than for security. Newer RFC'stend to show a lot more concern for security.

The RFC process creates interoperable *CRAP*.

Let's accept this as true for a moment. Can you point to somethingbetter?


What about the ISO model, the X.400 & X.500 schemas, and ASN.1?

How well has BER, SNMP, SSL certs, and all of that done in practice forsecurity?

Or how about the security vendors, who break standards to createproprietary, non-interoperable crap? What's the current status ofVRRP? Is that an open standard, free for all to use, or is itencumbered?

[ ... ]
The RFCs are written by well-intentioned amateurs who never gave
a rat's a&& for security, and the resulting Internet reflects it.

Not always. There are people, even on this list, who could learnsomething from:


http://www.ietf.org/rfc/rfc2196.txt

   As an aside, building a "home grown" firewall requires a significant
   amount of skill and knowledge of TCP/IP.  It should not be trivially
   attempted because a perceived sense of security is worse in the long
   run than knowing that there is no security.  As with all security
   measures, it is important to decide on the threat, the value of the
   assets to be protected, and the costs to implement security.

Give that RFC a fair read, Marcus, and then see whether you still agreewith your own generalization above.


--
-Chuck

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: A fun smackdown..., (continued)
- - - Re: A fun smackdown... Marcus J. Ranum (May 21)
    - Re: A fun smackdown... Steven M. Bellovin (May 21)
    - Re: A fun smackdown... Marcus J. Ranum (May 21)
    - Re: A fun smackdown... Don Kendrick (May 24)
    - Re: A fun smackdown... Paul D. Robertson (May 19)
    - Re: A fun smackdown... Chuck Swiger (May 19)
    - Re: A fun smackdown... Paul D. Robertson (May 19)
    - Re: A fun smackdown... Chuck Swiger (May 19)
    - Re: A fun smackdown... Paul D. Robertson (May 19)
    - Re: A fun smackdown... Marcus J. Ranum (May 20)
    - Re: A fun smackdown... Chuck Swiger (May 21)
    - Re: A fun smackdown... Marcus J. Ranum (May 21)
    - Re: A fun smackdown... Chuck Swiger (May 21)
    - Re: A fun smackdown... Marcus J. Ranum (May 21)
    - RE: A fun smackdown... Bill Royds (May 24)
    - Re: A fun smackdown... Joseph S D Yao (May 20)
    - Re: A fun smackdown... Chuck Swiger (May 20)
    - Re: A fun smackdown... Joseph S D Yao (May 20)
    - Re: A fun smackdown... Devdas Bhagat (May 20)
    - Re: A fun smackdown... Carson Gaspar (May 20)
    - Re: A fun smackdown... Marcus J. Ranum (May 20)

(Thread continues...)