[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-grip-isp-00.txt now available

To: Phil Karn <karn@qualcomm.com>
Subject: Re: draft-ietf-grip-isp-00.txt now available
From: Tom Killalea <tomk@nwnet.net>
Date: Mon, 20 Oct 1997 11:24:49 -0700
Cc: grip-wg@UU.NET
Comment: grip-wg mailing list add/drop requests to Majordomo@TransSys.COM
In-reply-to: Your message of Mon, 20 Oct 1997 09:04:54 -0700. <m0xNKK6-000HSdC@laptop.ka9q.ampr.org>

Hi Phil,

>Not only that, but source address filtering is far more of a pain in
>the ass for the legitimate user than a meaningful impediment to an
>attacker.  For example, Time Warner's Road Runner cable modem service
>here in San Diego implements source address filtering. But my home
>network is dual-homed between RR and a ISDN dialup to Qualcomm. To
>evade this filter and the many problems it causes, I set up a "tunnel"
>machine on Qualcomm's DMZ and IP-in-IP encapsulate all my default
>outbound traffic. Needless to say, the presence of even one such
>tunnel machine on the Internet makes it possible for anyone to evade
>his or her ISP's source address filter.
>
>And, as we've heard, source address filtering either breaks Mobile IP
>or requires the use of IP-in-IP tunneling in both directions (which
>creates even more tunnel systems on the net.)
>
>There are much better solutions to the TCP syn flooding attack than IP
>source address filtering. It's just a bad idea. The end system fix is
>the only true path to security.

Source address filtering greatly reduces the number of spoofing-based
attacks, and is something that can be done today.  Clearly the really
determined attacker will find a way around it.

I'd welcome wider comment on the issues relating to mobile IP.

>>>    There is no justification for any mail relay on the Internet being left
>>>    completely open
>
>>Seems a pretty absolutist statement.  Too early to think of counterexamples,
>>but I am sure someone can.
>
>Sure. How about SMTP relay servers set up for the use of traveling
>Eudora users?  Eudora cannot resolve MX records and deliver mail
>directly; it tosses all its outbound mail on a friendly local SMTP
>relay site, traditionally a UNIX box running sendmail.  While such a
>relay can be protected from spammers by being placed inside a
corporate firewall, this doesn't help users travelling outside the
>firewall. True, it's possible and desirable to set up a TCP forwarding
>tunnel with SSH for your POP and SMTP connections, but that doesn't
>mean there isn't a legitimate reason to leave a mail relay open.

Another alternative is to use a friendly local SMTP relay site where the
travelling users connect.  So far the only legitimate reason for open
mail relays that I've heard is anonymous remailers.

>>>    Sanctions for running an open mail relay should be covered in an ISP's 
>>>    AUP.
>
>>Are you suggesting that an ISP should act against a customer who runs an
>>open relay?  This is not the way the internet is run today.
>
>Agreed. When an open mail relay host gets discovered by the spammers,
>the main victim is the mail relay operator himself. That's usually
>plenty of incentive to turn off relaying.

As I said to Randy, I don't think that's sufficient to get the
operator's attention.

Tom.
--
Tom Killalea   (425) 649-7417    NorthWestNet
               tomk@nwnet.net

Follow-Ups:
- Re: draft-ietf-grip-isp-00.txt now available
  - From: Phil Karn <karn@qualcomm.com>
- Re: draft-ietf-grip-isp-00.txt now available
  - From: Randy Bush <randy@psg.com>

References:
- Re: draft-ietf-grip-isp-00.txt now available
  - From: Phil Karn <karn@qualcomm.com>

Prev by Date: Re: draft-ietf-grip-isp-00.txt now available
Next by Date: Re: draft-ietf-grip-isp-00.txt now available
Previous by thread: Re: draft-ietf-grip-isp-00.txt now available
Next by thread: Re: draft-ietf-grip-isp-00.txt now available
Index(es):
- Date
- Thread