ietf
[Top] [All Lists]

RE: Time to move beyond the 32 bit Internet.

2014-07-01 14:20:10
I should have included one more aspect in the third set. That is 
traffic disallowed by policy. Current top-of-mind in security
circles includes NTP attacks - someone sends a message with a 
spoofed source address to an NTP server, which now sends 
something to that address every mumble time units...

Presumably, your firewall could have some kind of source address verification 
that takes care of such spoofing. 

As for "diode firewalls," they can be bypassed trivially using ICE, STUN, etc. 
That is, as long as the application is using UDP. Which means that instead of 
applications running over TCP, they will need to use some reliable transport 
over UDP. There are plenty of those...

Now, we can debate whether the Internet will be a better place with diode 
firewalls instead of routers and transport over UDP instead of TCP.

-- Christian Huitema