nanog mailing list archives
Re: IPv6, IPSEC and DoS
From: "Christopher L. Morrow" <christopher.morrow () mci com>
Date: Sat, 01 Jan 2005 02:21:12 +0000 (GMT)
On Fri, 31 Dec 2004, J. Oquendo wrote:
On Sat, 1 Jan 2005, Christopher L. Morrow wrote:Some of this 'not follow it now' is partly due to equipment problems. These problems should be disappearring from many larger networks as new gear is cycled in over the next couple of years. The option will then be available to the engineers that operate the networks, they will likely still prefer the 'closest to the end system router' make the filtering decision though.I think I've mentioned this before... Why isn't it standard by default. To which most replied about the ever changing BOGON addresses. It would be nice to see a "Trusted" repository that all equipment could pass to and from information.
sure, this is part of 'to urpf or not to urpf by default on "lan" interfaces'. I think the vendor folks, and some operators, thought that 'changing defaults might be a bad thing'. There are lots of unintended consequences to urpf or not :( Personally, I'd love to see all LAN interfaces properly 'urpf' (or some version of that). Even moving upstream from the LAN to the WAN, CPE properly anti-spoof filtering (reverse 2627 filtering) would be a good start. I am not convinced that doing this sort of thing from a 'central trusted repository' (even a distributed central repository) is a good plan for 'everyone' though. take the cases of large 'internet' sized networks that are not 'the internet', getting them a copy or even them USING this methodology isn't necessarily possible, or required. This, btw, is part of the 'one secure' or 'secure default' or whatever-its-called-secure cisco template/config-option thingy... which is already out-of-date?
your company likely has this capability, or could have it today... They also likely don't want you wasting company time buying things on ebay or amazon... your company, in the US, likely has this in their HR/Employee handbook in the form of some 'corporate assets are for corporate use only' statement.Indeed no one wants their resources wasted, but what about those in the financial industries where monetary information is being sent. Surely no
They have their vpns and 'secure networks' and other methods... many of their transactions probably pass in the clear from DB to DB to DB, on local LANs or on private WANs. (speculation of course, perhaps their 3des is 3des'd and all is perfect and nice, who knows)
one wants that information being passed. On that note of network "waste", for those who do have those types of policies, that's what content management is for in my opinion. If it hasn't been fully implemented, than why call the kettle black.
actually, those policies are there to fire people with, nothing more... no one polices them to any reasnable level. We once had a large and well known consulting firm for which we could see firewall logs, while watching the logs scroll by their laison mentioned how well their people knew their policies about sexual harassment and such... I think I asked: "Hmm, so what is www.indialove.com do you think?? Oh, porn yea, one of your well informed employees is spending HOURS looking through that site, right now..." Anyway, go policies! :)
Once again... Happy New Year everyone... Going going gone...
not quite gone yet, 2.75 hours remain! :)
Current thread:
- IPv6, IPSEC and DoS J. Oquendo (Dec 31)
- Re: IPv6, IPSEC and DoS Christopher L. Morrow (Dec 31)
- Re: IPv6, IPSEC and DoS Iljitsch van Beijnum (Jan 01)
- Re: IPv6, IPSEC and DoS Rob Thomas (Jan 01)
- Re: IPv6, IPSEC and DoS Iljitsch van Beijnum (Jan 02)
- Re: IPv6, IPSEC and DoS Valdis . Kletnieks (Jan 01)
- Re: IPv6, IPSEC and DoS Iljitsch van Beijnum (Jan 02)
- Re: IPv6, IPSEC and DoS Valdis . Kletnieks (Jan 02)
- Re: IPv6, IPSEC and DoS Rob Thomas (Jan 01)
- <Possible follow-ups>
- Re: IPv6, IPSEC and DoS J. Oquendo (Jan 03)
- Re: IPv6, IPSEC and DoS Iljitsch van Beijnum (Jan 03)
- Re: IPv6, IPSEC and DoS David Barak (Jan 03)
- Re: IPv6, IPSEC and DoS Joe Abley (Jan 03)
- Re: IPv6, IPSEC and DoS Iljitsch van Beijnum (Jan 03)