Re: IP address <--> Global Positioning System (GPS)

From: Melinda Shore (shore@panix.com)
Date: 05/25/02

  • Next message: Nico Kadel-Garcia: "Re: IP address <--> Global Positioning System (GPS)" 

    From: shore@panix.com (Melinda Shore)
Date: 25 May 2002 11:06:14 -0400

    In article <ozMH8.5889$Np5.360@nwrddc01.gnilink.net>,
    Nico Kadel-Garcia <nkadel@bellatlantic.net> wrote:
    >??? DHCP re-allocation is quite common for the laptop and mobile link
    >community, and even non-dynamic allocation such as network re-assignments
    >are very common.

    I don't believe that reassignment when an address has not
    been timed or released is at all common, and it's certainly
    not something to be encouraged. Lack of a fixed address can
    be mitigated by things like application-layer registration,
    but changing an interface address while in use is going to
    tear down any existing application "sessions" (I'm not crazy
    about that word, but it will do for now). It will also
    interfere with the ability of an application to function
    properly in the face of dynamic address assignment, since it
    will cause registrations to become invalid.

    I accept that this might be okay for someone who does
    nothing but web browsing, but for many (most?) people that's
    not sufficient. I also accept that having service
    interrupted and re-established from time to time might be
    acceptable for some people, but probably not for most, and
    the number of people for whom it is acceptable will shrink
    as expectations rise with greater broadband availability and
    as more services migrate to IP.

    3GPP's design point is 10s of millions of handsets, which
    clearly represents an addressing challenge. How would you
    feel about losing calls due to address changes in mid-call?
    What if other utilities did the same thing? For example,
    how would you feel if your electrity went out for a couple
    of minutes at random times?

    Coming at it from the other direction, I can understand why
    service providers might want to run their services this way
    but I don't see why they'd want to use IP as their
    networking technology if that's really what they're intent
    on doing. IP was clearly not designed to support this kind
    of behavior, and unfortunately we're in a situation in which
    we're developing fixes for problems that were introduced by
    doing things we shouldn't have done in the first place (say,
    NAT) and they bring their own problems with them which
    require fixes, as well. It's created an extremely unstable
    environment in which a small failure in one piece of the
    system brings the whole thing down.

    It also has unintended consequences for security. For
    example, stateful inspection/rewrite and ALGs are currently
    two of the more popular and widely-deployed mechanisms for
    getting complex application protocols across firewalls and
    NATs. Unfortunately, using stateful inspection means that
    traffic has to travel in the clear, and using ALGs means
    that traffic is being terminated on a device other than the
    one you're trying to call. You can't have end-to-end
    encryption, so things like credit card numbers (encoded as
    DTMF), which are carried in the signaling stream in H.323,
    travel in the clear, as do other dialed digits and called
    party information. Stateful rewrites of signaling payloads
    in order to accomodate NAT mean that you can't authenticate
    the data. One problem we're looking at now is how to allow
    a device behind a firewall to receive an incoming call
    without providing a general-purpose mechanism for defeating
    local firewall policy.

    Unfortunately these security devices that are being used to
    police network borders are interfering with application
    security in very specific, identifiable ways. Network
    administrators who don't understand this are facing some
    fairly serious security vulnerabilities as increasingly
    complex services are rolled out. 

    -- 
     Melinda Shore - Software longa, hardware brevis - shore@panix.com
          If you send me harassing email, I'll probably post it

    Relevant Pages

    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.backoffice.smallbiz)
    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.backoffice.smallbiz2000)
    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.windows.server.sbs)
    • Re: Root exploit for FreeBSD
      ... for two ports to my FreeBSD portscluster nodes. ... and it gives the firewall ... US this is also quite common, at least with regards to University ... if your computer is going to connect on our network it must be configured in certain ways and behave "normally" or you won't get a connection. ...
      (freebsd-questions)
    • Re: Root exploit for FreeBSD
      ... for two ports to my FreeBSD portscluster nodes. ... and it gives the firewall ... US this is also quite common, at least with regards to University ... if your computer is going to connect on our network it must be configured in certain ways and behave "normally" or you won't get a connection. ...
      (freebsd-current)