Re: [fw-wiz] A fun smackdown...

From: Marcus J. Ranum (
Date: 05/21/05

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] A fun smackdown..."
    To: Chuck Swiger <>, "Paul D. Robertson" <>
    Date: Fri, 20 May 2005 21:57:31 -0400

    Chuck Swiger wrote:
    >You are disagreeing with a design principle from the RFC's which discusses how to create robust software protocols.

    The RFCs often used to contain the phrase "this RFC does not address
    security." Is that one of those great design principles the IETF uses
    to create "robust software protocols"??

    The RFC process creates interoperable *CRAP*.

    Standards that had been developed with security as even a passing
    thought would have had protocol command stacks divided into
    trusted modes and public modes from the get-go. I.e.: "internet-facing
    mail servers must support the HELO, MAIL, RCPT, DATA commands.
    mail servers facing trusted networks must support the untrusted commands
    plus HELP, VRFY, etc, etc, etc..."

    The RFCs are written by well-intentioned amateurs who never gave
    a rat's a&& for security, and the resulting Internet reflects it.


    firewall-wizards mailing list

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] A fun smackdown..."

    Relevant Pages

    • Re: SMTP
      ... gives the generic telnet connection and RFC a GUI, so that I could use it to security-test the servers I work with. ... The program is capable of learning protocols by reading trough snoop-logs of communication on that protocol between a server and a client that already knows what to do. ... protocols I intend to work with have something in comon and that I can successfully replicate the common sense people usualy utilize when reading RFCs. ... The current version is looking out for response codes, so it obviously doesn't even work with POP3. ...
    • Re: RTFM - IETF RFCs
      ... The RFCs are the documents that describe the design intent of the ... various protocols that are used on the Internet. ... there is also defined process that proposed/pending standards go thru ...