[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: HIP firewalling

To: "Pekka Nikander" <pekka.nikander@nomadiclab.com>
Subject: RE: HIP firewalling
From: "Ayyasamy, Senthilkumar \(UMKC-Student\)" <saq66@umkc.edu>
Date: Mon, 16 Feb 2004 05:47:45 -0600
Cc: "Multi6 List" <multi6@ops.ietf.org>, <hipsec@honor.trusecure.com>

>> As a side note, how is HIP going to allow port blocking? Will it avoid
>> worm attacks by its puzzle mechanism. I don't think it is possible (but
>> it can reduce its spawning speed.)
>
> You can build a HIP firewall that uses HIs as the level of
> granularity.  Beyond that, on the port level, you have to
> do locally at the host.  But that's the right way to do it
> anyway, IMHO.  The current worms and other internet fauna
> are a problem that SHOULD NOT be handled at the network level
> but by the operating system.
 
The patch solution has its limitations. If i am a network admin, i have
to track the infected hosts, wake up the user, convince them that it is
really a problem, then ask him to patch his OS, and then allow the user
to play with his machine. It is not a day's work but sometimes goes in
the order of months. port blocking will fix the problem quickly, OTOH.
So, IAB's recent port blocking concerns did not consider the total 
picture.

> Do you expect to run HIP in your Win98 box?

of course. my school just provides windoze machine(and run linux through 
emulation,VMware etc.)  Is IETF just support non-windoze platforms? ;-)

Prev by Date: RE: draft-huitema-multi6-hosts-03
Next by Date: RE: draft-huitema-multi6-hosts-03
Previous by thread: RE: CELP (was RE:)
Next by thread: RE: port blocking (was Re: CELP (was RE:) )
Index(es):
- Date
- Thread