Re: [fw-wiz] A fun smackdown...

From: Chuck Swiger (
Date: 05/21/05

  • Next message: Chuck Swiger: "Re: [fw-wiz] A fun smackdown..."
    To: "Marcus J. Ranum" <>
    Date: Sat, 21 May 2005 11:48:37 -0400

    On May 20, 2005, at 9:57 PM, Marcus J. Ranum wrote:
    > Chuck Swiger wrote:
    >> You are disagreeing with a design principle from the RFC's which
    >> discusses how to create robust software protocols.
    > The RFCs often used to contain the phrase "this RFC does not address
    > security." Is that one of those great design principles the IETF
    > uses
    > to create "robust software protocols"??

    Sometimes, yes. I'd rather see an explicit statement that says, "this
    is not a secure protocol", then use something which pretends to be
    secure, yet is not.

    The older RFCs-- before 2000 or so-- were a lot more concerned with
    defining standards for interoperability than for security. Newer RFC's
    tend to show a lot more concern for security.

    > The RFC process creates interoperable *CRAP*.

    Let's accept this as true for a moment. Can you point to something

    What about the ISO model, the X.400 & X.500 schemas, and ASN.1?
    How well has BER, SNMP, SSL certs, and all of that done in practice for

    Or how about the security vendors, who break standards to create
    proprietary, non-interoperable crap? What's the current status of
    VRRP? Is that an open standard, free for all to use, or is it

    > [ ... ]
    > The RFCs are written by well-intentioned amateurs who never gave
    > a rat's a&& for security, and the resulting Internet reflects it.

    Not always. There are people, even on this list, who could learn
    something from:

        As an aside, building a "home grown" firewall requires a significant
        amount of skill and knowledge of TCP/IP. It should not be trivially
        attempted because a perceived sense of security is worse in the long
        run than knowing that there is no security. As with all security
        measures, it is important to decide on the threat, the value of the
        assets to be protected, and the costs to implement security.

    Give that RFC a fair read, Marcus, and then see whether you still agree
    with your own generalization above.

    firewall-wizards mailing list

  • Next message: Chuck Swiger: "Re: [fw-wiz] A fun smackdown..."