[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: port blocking (was Re: CELP (was RE:) )

To: Tim Shepard <shep@alum.mit.edu>
Subject: Re: port blocking (was Re: CELP (was RE:) )
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Wed, 25 Feb 2004 09:20:32 +0100
Cc: Multi6 List <multi6@ops.ietf.org>
In-reply-to: <E1Asn3z-000079-00@alva.home>
References: <E1Asn3z-000079-00@alva.home>

On 16-feb-04, at 19:01, Tim Shepard wrote:

As a side note, how is HIP going to allow port blocking? Will it avoid worm attacks by its puzzle mechanism. I don't think it is possible (but it can reduce its spawning speed.)

How does IPSEC allow port blocking? As far as I know, it does not. After the IKE exchange establishes a SA, ESP hides the TCP port numbers. HIP has no better answer to this question than IPSEC, or any other protocol that provides for encryption between strangers.

"Having an encrypted conversation with a stranger may be like meeting that person in a dark alley. Whatever happens, there are no witnesses."

Why would anyone want to filter based on port numbers? It provides no real security, just headaches. On the other hand, I can understand that people are unconfortable having internal hosts communicate with external ones without being able to see what's going on. A way to solve this would be to include firewalls in the authentication and authorization negotiations.

Follow-Ups:
- Re: port blocking (was Re: CELP (was RE:) )
  - From: Tim Shepard <shep@alum.mit.edu>

References:
- port blocking (was Re: CELP (was RE:) )
  - From: Tim Shepard <shep@alum.mit.edu>

Prev by Date: re: celp draft
Next by Date: Re: draft-savola-multi6-asn-pi-01.txt
Previous by thread: port blocking (was Re: CELP (was RE:) )
Next by thread: Re: port blocking (was Re: CELP (was RE:) )
Index(es):
- Date
- Thread