RE: [fw-wiz] A fun smackdown...
From: Bill Royds (broyds_at_rogers.com)
Date: 05/22/05
- Previous message: David Wagner: "[fw-wiz] A fun smackdown..."
- In reply to: Marcus J. Ranum: "Re: [fw-wiz] A fun smackdown..."
- Next in thread: Joseph S D Yao: "Re: [fw-wiz] A fun smackdown..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 22 May 2005 01:00:57 -0400
I once thought it might be useful to write a generic proxy for other than the 6
protocols that are actually proxied by looking at a grammar or BNF diagram or
state diagram of the other protocols and writing a parser to ensure that the
protocol was at least correct according to the RFC.
But RFC's don't have true descriptions of the protocol that they are supposed
to be describing. More than anything, they are basically descriptions of what
they want the protocol to do, but not descriptions of exactly what the syntax
and semantics of the protocol should be. It would be almost impossible to write
a proxy that took a grammar and verified the validity of a stream purporting to
follow that proxy. You have to do what Marcus did with the DEC Seal/ Gauntlet
and others, write proxy for a subset of a protocol that validates the semantics
that the author feels to be somewhat securable and still useful.
But that is also why the Internet based on TCP/IP has been so successful. It
is defined "close enough" so different manufacturers of hardware and software
can create different products operate somewhat together so that there is plenty
of choice of both hardware that will work over the Internet. Lack of security is
what made TCP/IP survive ahead of things like X-25, which spent a lot of
overhead verifying packet validity, reception, integrity etc., including
ensuring some security over the "virtual circuits" that it created. But the more
secure but slower protocol lost out to the less secure but faster and more
easily implementable protocol which has created the Internet we have today. The
very fact that security was not a design goal for the Internet was a great part
of its success. We are still living with that fact.
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Marcus J. Ranum
Sent: Friday, May 20, 2005 9:58 PM
To: Chuck Swiger; Paul D. Robertson
Cc: firewall-wizards@honor.icsalabs.com; Martin
Subject: Re: [fw-wiz] A fun smackdown...
Chuck Swiger wrote:
>You are disagreeing with a design principle from the RFC's which discusses how
to create robust software protocols.
The RFCs often used to contain the phrase "this RFC does not address
security." Is that one of those great design principles the IETF uses
to create "robust software protocols"??
The RFC process creates interoperable *CRAP*.
Standards that had been developed with security as even a passing
thought would have had protocol command stacks divided into
trusted modes and public modes from the get-go. I.e.: "internet-facing
mail servers must support the HELO, MAIL, RCPT, DATA commands.
mail servers facing trusted networks must support the untrusted commands
plus HELP, VRFY, etc, etc, etc..."
The RFCs are written by well-intentioned amateurs who never gave
a rat's a&& for security, and the resulting Internet reflects it.
mjr.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: David Wagner: "[fw-wiz] A fun smackdown..."
- In reply to: Marcus J. Ranum: "Re: [fw-wiz] A fun smackdown..."
- Next in thread: Joseph S D Yao: "Re: [fw-wiz] A fun smackdown..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
