On Fri, 7 May 2004 23:03:02 +0200
Iljitsch van Beijnum <iljitsch(_at_)muada(_dot_)com> wrote:
On 7-mei-04, at 21:51, Christian Huitema wrote:
The old assumption used to be that if a host has an IP
address, it can receive pretty much any packet sent to that
address. The practical situation we have today is that if two
hosts communicate over a given protocol and port, they can
receive packets from the same "five tuple" but are not
guaranteed to receive other packets. This has an important
consequence for many IETF designed protocols, including
indeed path MTU discovery.
So you are saying that when a host sends out an IP packet with
the DF bit set, it's ok for that host (or any system on the
path to that host) to filter out ICMP "fragmentation needed but
DF bit set" messages?
Filtering on protocol/port numbers is a broken concept. When
are we going to take the time to come up with a *real* security
architecture? One that allows hosts to receive wanted packets
and reject unwanted ones,
I've only read the abstract, however Steve Bellovin's
"Distributed Firewalls"
(http://www.research.att.com/~smb/papers/distfw.html) seems to
suggest exactly that.
Interestingly, with all the recent attacks on Microsoft software,
they seem to be going down this distributed firewalls path, where
each host has a firewall. I'm not sure if they are aware of
Steve's paper, or whether it is a result of these worms almost
always seeming to be being able to bypass any network based
security in place anyway. I'd suspect the latter.
Linux and other OSs have already have firewalls built in, so
maybe we are seeing an unplanned and evolutionary transition to
this model.
rather than the current one where any
correlation to whether a packet is wanted and whether it's
rejected seems coincidental at best? One that at least
entertains the possibility of doing something about denial of
service attacks? And, last but not least, one that allows
reasonable protocols, carrying desired communication, to
function without undue breakage?
I've understood that what you have described is the end-goal
of end-to-end, opportunistic encryption and authentication ie.
IPsec. Once the network can't tell what type of traffic it is,
ie. the port numbers (or protocol numbers if IPsec is run in
tunnel mode), these network based firewalls will be useless, and
hopefully will be turned off.
That wouldn't necessarily remedy denial of service attacks
though. I think denial of service attacks will always be possible
if entities can issue traffic to the network in an unregulated or
unidentified manner.
An "IPsec" only Internet would provide a disincentive to DoS, as
I'd presume that it implies that end-points are uniquely
identified, which allows responsibility for these attacks to be
attributed. That may not be a world we want to live in though as
anonimity in communications can also be a useful privacy feature.
In a few respects, DoS attacks and Spam are similar - they rely
on or assume near or absolute source anonimity, and very low
costs of transmission. If, or hopefully when, any solutions are
found to the spam problem, the fundamental methods or techniques
may be able to be applied to DoS attacks.
Regards,
Mark.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf