Re: [fw-wiz] A fun smackdown...
From: Chuck Swiger (chuck_at_codefab.com)
To: "Marcus J. Ranum" <firstname.lastname@example.org> Date: Sat, 21 May 2005 14:21:39 -0400
On May 21, 2005, at 12:58 PM, Marcus J. Ranum wrote:
> Chuck Swiger wrote:
>> By definition, the IETF is concerned with systems which interoperate
>> over public networks using network-wide conventions and publicly
>> documented standards. What people do with private machines or
>> private networks is up to them, at least so long as they *don't*
>> connect those machines to the Internet.
> You're completely ignoring the fundamental dilemma that I am trying
> to get you to confront. My position in a nutshell:
> - "Standards that don't take security into account are not
> and you're asserting
> - "If you don't follow standards you break 'legitimate' traffic"
> The problem is that, since the standards don't take security into
> account, the traffic is not 'legitimate' - it's 'dangerous' and a
> security device can and SHOULD interfere with it.
You've asserted that all standards are useless. You've asserted that
standards which do not take security into account are not
internet-worthy. You seem to believe that no Internet standard is
legitimate and all traffic must be considered dangerous.
Your position is comprehensible but so extreme as to not be especially
useful. By analogy:
There is a non-skid surface on the floor of my tub, but I could still
break my neck if I slipped, I suppose. Should I worry about this
horrible possibility excessively? So much that I forget to lock my
front door? It's useful to worry about stuff which is likely to
happen, is likely to matter, and is something you can do something
useful about, without spending so much effort that the net impact
outweighs the loss of productive work.
> Maybe the first time someone invents a PMTUD denial of
> service attack you'll "get it."
People have already played lots of games using ICMP traffic.
Rate-limiting ICMP responses and preventing replies to network
broadcast addr's to prevent amplification/DoS works pretty well for
If I try to talk to www.example.com:80 using DF, I expect that to work.
I don't agree that a firewall should block ICMP unreachable messages
generated for a connection which would normally be permitted by the
security policy. Rate-limit, sure. But not blackhole...
-- -Chuck _______________________________________________ firewall-wizards mailing list email@example.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards