nanog mailing list archives
Re: [arin-announce] IPv4 Address Space (fwd)
From: matt () petach org
Date: Wed, 29 Oct 2003 14:22:23 -0800 (PST)
In a message written on Wed, Oct 29, 2003 at 02:24:54PM -0600, Kuhtz, Chris= tian wrote:Isn't that the whole point of running a VPN connection?Yes. What I'm saying is network operators are slowly forcing everyone to run _everything_ over a VPN like service. That's fine, but it makes network operators unable to act on the traffic at the same level they can today. Leo Bicknell - bicknell () ufp org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
I think the other point that may be escaping some people, is that as more and more connections take on this VPN-like quality, as network operators we lose any visibility into the validity of the traffic itself. Imagine how much more painful SQL Slammer would have been, if all the traffic was encapsulated in port 80 between sites, and only hit port 1434 locally? We'd suddenly be unable to quickly filter out the worm traffic, and would instead see only that our port 80 traffic was now eating our network alive--and we certainly couldn't get away with filtering that out. We'd have no choice but to build our networks large enough to handle the largest sized worm outbreak, as we'd have no option but to carry the traffic blindly from end to end, having no way to even begin to consider how to differentiate valid traffic from invalid traffic. At least today, we can decide that 92 byte ICMP echo-request packets are invalid, and drop them; or that for the most part, packets destined to port 1434 should be discarded as quickly as possible. If everything, include worm outbreaks, gets tunneled on port 80, get ready to loosen the purse strings, because there's no alternative other than add more capacity. If I were more of a conspiracy theorist, I might think that the router vendors and long-haul fiber providers might be rubbing their hands gleefuly in the background, funnelling dollars into the VPN marketplace to fund more and more products that do exactly that...it would certainly be one way to ensure that the demand for larger pipes and faster routers stays high for the next decade or so, until OS vendors learn to secure their software better. ^_^;; Matt happy to still be able to block IPs/ports at his own discretion
Current thread:
- Re: [arin-announce] IPv4 Address Space (fwd), (continued)
- Re: [arin-announce] IPv4 Address Space (fwd) Scott McGrath (Oct 29)
- Re: [arin-announce] IPv4 Address Space (fwd) David Raistrick (Oct 29)
- Re: [arin-announce] IPv4 Address Space (fwd) Jack Bates (Oct 29)
- Re: [arin-announce] IPv4 Address Space (fwd) Crist Clark (Oct 29)
- Re: [arin-announce] IPv4 Address Space (fwd) E.B. Dreger (Oct 30)
- Re: [arin-announce] IPv4 Address Space (fwd) Scott McGrath (Oct 30)
- Re: [arin-announce] IPv4 Address Space (fwd) Paul Timmins (Oct 30)
- Re: [arin-announce] IPv4 Address Space (fwd) Scott McGrath (Oct 29)
- Re: [arin-announce] IPv4 Address Space (fwd) Scott McGrath (Oct 30)
- Re: [arin-announce] IPv4 Address Space (fwd) Leo Bicknell (Oct 29)
- Re: [arin-announce] IPv4 Address Space (fwd) matt (Oct 29)
- Re: [arin-announce] IPv4 Address Space (fwd) Alex Yuriev (Oct 29)
- Re: [arin-announce] IPv4 Address Space (fwd) william (Oct 29)
- Re: [arin-announce] IPv4 Address Space (fwd) Alex Yuriev (Oct 29)
- Re: [arin-announce] IPv4 Address Space (fwd) matt (Oct 29)
- traffic engineering (or lack of thereof) Alex Yuriev (Oct 30)
- Re: [arin-announce] IPv4 Address Space (fwd) william (Oct 29)
- Re: [arin-announce] IPv4 Address Space (fwd) Alex Yuriev (Oct 30)
- Re: [arin-announce] IPv4 Address Space (fwd) matt (Oct 30)
- Re: [arin-announce] IPv4 Address Space (fwd) Alex Yuriev (Oct 30)
- Re: [arin-announce] IPv4 Address Space (fwd) Chris Parker (Oct 30)