[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

port blocking (was Re: CELP (was RE:) )

To: "Ayyasamy, Senthilkumar \(UMKC-Student\)" <saq66@umkc.edu>
Subject: port blocking (was Re: CELP (was RE:) )
From: Tim Shepard <shep@alum.mit.edu>
Date: Mon, 16 Feb 2004 13:01:47 -0500
Cc: "Multi6 List" <multi6@ops.ietf.org>
In-reply-to: Your message of Mon, 16 Feb 2004 05:14:36 -0600. <5EF7D95E17BDAD4A968C812E5ABC390B011082BC@KC-MAIL4.kc.umkc.edu>

> As a side note, how is HIP going to allow port blocking? Will it avoid
> worm attacks by its puzzle mechanism. I don't think it is possible (but
> it can reduce its spawning speed.)


This is a very interesting question, and I expect there will never be a good
answer for this.  (The puzzle mechanism does not fundamentally help with
worm attacks, though it may help to defend against a DOS attack against
a specific server's CPU resources launched by a worm.)

How does IPSEC allow port blocking?  As far as I know, it does not.  After
the IKE exchange establishes a SA, ESP hides the TCP port numbers.
HIP has no better answer to this question than IPSEC, or any other protocol
that provides for encryption between strangers.

"Having an encrypted conversation with a stranger may be like meeting that
person in a dark alley.  Whatever happens, there are no witnesses."  (quote
is from Blumenthal and Clark, _Rethinking the Design of the Internet: The
End-to-End Arguments vs. the Brave New World, August 2001)



			-Tim Shepard
			 shep@alum.mit.edu

Follow-Ups:
- Re: port blocking (was Re: CELP (was RE:) )
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

References:
- RE: CELP (was RE:)
  - From: "Ayyasamy, Senthilkumar \(UMKC-Student\)" <saq66@umkc.edu>

Prev by Date: Re: CELP (was RE:)
Next by Date: RE: port blocking (was Re: CELP (was RE:) )
Previous by thread: HIP firewalling
Next by thread: Re: port blocking (was Re: CELP (was RE:) )
Index(es):
- Date
- Thread