Re: IPv6, IPSEC and DoS

["Christopher L. Morrow" <christopher.morrow () mci com>]

On Fri, 31 Dec 2004, J. Oquendo wrote:
> On Sat, 1 Jan 2005, Christopher L. Morrow wrote:
>
> > Some of this 'not follow it now' is partly due to equipment problems.
> > These problems should be disappearring from many larger networks as new
> > gear is cycled in over the next couple of years. The option will then be
> > available to the engineers that operate the networks, they will likely
> > still prefer the 'closest to the end system router' make the filtering
> > decision though.
>
> I think I've mentioned this before... Why isn't it standard by default. To
> which most replied about the ever changing BOGON addresses. It would be
> nice to see a "Trusted" repository that all equipment could pass to and
> from information.

sure, this is part of 'to urpf or not to urpf by default on "lan"
interfaces'. I think the vendor folks, and some operators, thought that
'changing defaults might be a bad thing'. There are lots of unintended
consequences to urpf or not :(

Personally, I'd love to see all LAN interfaces properly 'urpf' (or some
version of that). Even moving upstream from the LAN to the WAN, CPE
properly anti-spoof filtering (reverse 2627 filtering) would be a good
start. I am not convinced that doing this sort of thing from a 'central
trusted repository' (even a distributed central repository) is a good plan
for 'everyone' though. take the cases of large 'internet' sized networks
that are not 'the internet', getting them a copy or even them USING this
methodology isn't necessarily possible, or required.

This, btw, is part of the 'one secure' or 'secure default' or
whatever-its-called-secure cisco template/config-option thingy... which is
already out-of-date?

> > your company likely has this capability, or could have it today... They
> > also likely don't want you wasting company time buying things on ebay or
> > amazon... your company, in the US, likely has this in their HR/Employee
> > handbook in the form of some 'corporate assets are for corporate use only'
> > statement.
>
> Indeed no one wants their resources wasted, but what about those in the
> financial industries where monetary information is being sent. Surely no

They have their vpns and 'secure networks' and other methods... many of
their transactions probably pass in the clear from DB to DB to DB, on
local LANs or on private WANs. (speculation of course, perhaps their 3des
is 3des'd and all is perfect and nice, who knows)

> one wants that information being passed. On that note of network "waste",
> for those who do have those types of policies, that's what content
> management is for in my opinion. If it hasn't been fully implemented, than
> why call the kettle black.

actually, those policies are there to fire people with, nothing more... no
one polices them to any reasnable level. We once had a large and well
known consulting firm for which we could see firewall logs, while watching
the logs scroll by their laison mentioned how well their people knew their
policies about sexual harassment and such... I think I asked: "Hmm, so
what is www.indialove.com do you think?? Oh, porn yea, one of your well
informed employees is spending HOURS looking through that site, right
now..."

Anyway, go policies! :)


> Once again... Happy New Year everyone... Going going gone...

not quite gone yet, 2.75 hours remain! :)