Firewall Wizards mailing list archives

Re: A fun smackdown...

From: Chuck Swiger <chuck () codefab com>
Date: Sat, 21 May 2005 14:21:39 -0400

On May 21, 2005, at 12:58 PM, Marcus J. Ranum wrote:

Chuck Swiger wrote:
By definition, the IETF is concerned with systems which interoperateover public networks using network-wide conventions and publiclydocumented standards. What people do with private machines orprivate networks is up to them, at least so long as they *don't*connect those machines to the Internet.
You're completely ignoring the fundamental dilemma that I am trying
to get you to confront. My position in a nutshell:
- "Standards that don't take security into account are notinternet-worthy"
and you're asserting
- "If you don't follow standards you break 'legitimate' traffic"

The problem is that, since the standards don't take security into
account, the traffic is not 'legitimate' - it's 'dangerous'   and a
security device can and SHOULD interfere with it.

You've asserted that all standards are useless. You've asserted thatstandards which do not take security into account are notinternet-worthy. You seem to believe that no Internet standard islegitimate and all traffic must be considered dangerous.

Your position is comprehensible but so extreme as to not be especiallyuseful. By analogy:

There is a non-skid surface on the floor of my tub, but I could stillbreak my neck if I slipped, I suppose. Should I worry about thishorrible possibility excessively? So much that I forget to lock myfront door? It's useful to worry about stuff which is likely tohappen, is likely to matter, and is something you can do somethinguseful about, without spending so much effort that the net impactoutweighs the loss of productive work.

Maybe the first time someone invents a PMTUD denial of
service attack you'll "get it."

People have already played lots of games using ICMP traffic.Rate-limiting ICMP responses and preventing replies to networkbroadcast addr's to prevent amplification/DoS works pretty well fornow.

If I try to talk to www.example.com:80 using DF, I expect that to work.I don't agree that a firewall should block ICMP unreachable messagesgenerated for a connection which would normally be permitted by thesecurity policy. Rate-limit, sure. But not blackhole...


--
-Chuck

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: A fun smackdown..., (continued)
- - - RE: A fun smackdown... Ben Nagy (May 19)
    - Re: A fun smackdown... Chuck Swiger (May 19)
    - Re: A fun smackdown... Paul D. Robertson (May 19)
    - Re: A fun smackdown... Chuck Swiger (May 19)
    - Re: A fun smackdown... Paul D. Robertson (May 19)
    - Re: A fun smackdown... Devdas Bhagat (May 19)
    - Re: A fun smackdown... Paul D. Robertson (May 19)
    - Re: A fun smackdown... Marcus J. Ranum (May 20)
    - Re: A fun smackdown... Chuck Swiger (May 21)
    - Re: A fun smackdown... Marcus J. Ranum (May 21)
    - Re: A fun smackdown... Chuck Swiger (May 21)
    - Re: A fun smackdown... Marcus J. Ranum (May 21)
    - Re: A fun smackdown... Chuck Swiger (May 21)
    - Re: A fun smackdown... Adam Shostack (May 21)
    - Re: A fun smackdown... Ryan McBride (May 21)
    - Re: A fun smackdown... Marcus J. Ranum (May 21)
    - Re: A fun smackdown... Steven M. Bellovin (May 21)
    - Re: A fun smackdown... Marcus J. Ranum (May 21)
    - Re: A fun smackdown... Don Kendrick (May 24)
    - Re: A fun smackdown... Paul D. Robertson (May 19)
    - Re: A fun smackdown... Chuck Swiger (May 19)

(Thread continues...)