Re: [fw-wiz] A fun smackdown...
From: Chuck Swiger (chuck_at_codefab.com)
Date: 05/21/05
- Previous message: Chuck Swiger: "Re: [fw-wiz] A fun smackdown..."
- In reply to: Marcus J. Ranum: "Re: [fw-wiz] A fun smackdown..."
- Next in thread: Marcus J. Ranum: "Re: [fw-wiz] A fun smackdown..."
- Reply: Marcus J. Ranum: "Re: [fw-wiz] A fun smackdown..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Marcus J. Ranum" <mjr@ranum.com> Date: Sat, 21 May 2005 12:25:13 -0400
On May 20, 2005, at 10:02 PM, Marcus J. Ranum wrote:
>>> How about excessive ICMP filtering breaking path MTU discovery?
>
> Another perfect example of a bunch of egg-heads in the IETF
> coming up with a mechanism for doing something that
> completely ignored existing implementations of security
> systems - and breaks as a result. The PMTU discovery
> mechanism, using ICMP, was moronic design from the get-go.
I could care less whether a firewall breaks PMTU discovery to someone's
accounting machine or to the control and monitoring systems at the
local power planet, because I and other legitimate users are never
going to talk to such systems, and because such machines very probably
should not be Internet-routable to begin with.
By definition, the IETF is concerned with systems which interoperate
over public networks using network-wide conventions and publicly
documented standards. What people do with private machines or private
networks is up to them, at least so long as they *don't* connect those
machines to the Internet. However, when someone publishes an MX
record, or sets up www.company.com in the DNS, they are choosing to
interact with the rest of the Internet.
A firewall which breaks ESMTP, or HTTP/1.1, or PMTUD to such machines
(typically in a DMZ) significantly impacts legitimate access with
questionable gains at best for security, and IMHO is a poor tradeoff.
You shouldn't be putting the crown jewels on a DMZ host to begin with.
And as for PMTUD, I'd be happy to see a better solution for MTU
discovery, short of depending on all intermediate routers to handle IP
fragmentation in an efficient and sane fashion. Do you have something
better, Marcus...?
-- -Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Chuck Swiger: "Re: [fw-wiz] A fun smackdown..."
- In reply to: Marcus J. Ranum: "Re: [fw-wiz] A fun smackdown..."
- Next in thread: Marcus J. Ranum: "Re: [fw-wiz] A fun smackdown..."
- Reply: Marcus J. Ranum: "Re: [fw-wiz] A fun smackdown..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
