Vernon Schryver wrote:
Actually, those who understand the security problem of IP source routes
knows something else. IP source route options are not problems except to
broken hosts. It would be nice to think there are no longer such broken
hosts on the net, but that is too much to expect. In a reasonable world,
we would expect anyone who cannot install non-broken software on their
hosts to install filters against IP source routes where they will do the
least damage, close to the broken hosts.
That is one of the reasons I think cryptography between servers
(SSH/IPsec, for an example) and another technologies will be of great
use. Although I am studying many other standards and haven't yet a
consistent oppinion.
However, in this world, the news about the irredeemable evil of all ICMP
packets will join year-old news about the utter evil and uselessness of
IP source routes and IEEE 802.3 collisions. We'll be hearing about all
three for the next 50 years. (From my poking around, it appears that more
than half of the Internet is now filtering all ICMP TTL-Exceeded, so the
damage done to `traceroute -g`, `ping -R`, and other things by filtering
IP source routes does not matter.)
Unfortunately those other fifty percent do matter in this world where
people poke around exceedingly, as I have been experiencing here in
Brazil. I expect to be publishing security news in *Portuguese*, as the
brazilian community needs a public site regarding security..
Assuming there is an algorithmic definition of "strangely high
traffic from a unique site", how would a backbone and so Terabit/sec
router log anything about it? Is it easy to define, detect, and
record state for streams if they are strangely high, and the reports
about the difficulties of maintaining state for "multimedia" and
similar buzzword streams do not apply?
Well, there is not exactly a way to determine, only by probing
deterministic situations on packets written in the network, but it still
can be dangerous for innocent hosts. Only by writing a completely
trusting network and it is, unfortunately, impossible when the enormity
of the Internet is seen..
Judging from their volume, the world needs a lot more documents about
network or computer security that are more repetitions of trade rag rumors
and security vendor marketing wishes than facts. However, there's no
reason for the IETF to compete with the current publishers of such works.
Fortunately I will try to distribute certain informations about network
security. But I need some tips and I will be grateful if the IETF can
contribute. Sincerely, it would be very nice to see IETF names floating
by my side.
As always, the most information you inject into the network, the better
it becomes..
Cesar Suga <sartre(_at_)linuxbr(_dot_)com>