[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Ability to withstand well known attacks
I disagree. Floods will always affect systems. Fill the pipe and the effect
is the same
the network element will be unreachable.
As long as the network element/service doesn't crash, or hang I think that
is enough. No matter what you do there will always be a way to temporarily
remove
a service by resource exhaustion.
If this was focused on hosts I would agree that something like syncookies is
a good idea
but a network will always be bandwidth constrained.
Donald.Smith@qwest.com GCIA
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
(coffee != sleep) & (!coffee == sleep)
> -----Original Message-----
> From: Dan Hollis [mailto:goemon@anime.net]
> Sent: Tuesday, July 22, 2003 12:09 PM
> To: opsec@ops.ietf.org
> Subject: Re: Ability to withstand well known attacks
>
>
> On Tue, 22 Jul 2003, George Jones wrote:
> > > OPSEC BOF - Operation Security Requirements for
> > > IP Network Elements Session
> > > 17 July 2003, IETF #57, Vienna
> > > BS: (Bill Somerfeld, Sun) Vendors will have trouble
> > > with 2.3.8. No vendor could comply with
> > > 2.3.8, it is too hard as written. GJ: admits that
> > > 2.3.8 needs work. BS: it is also a moving target!
> > OK, this makes two vendors who strenuously objected to this
> > requirement. I'd like feedback/discssion/suggested wording.
>
> Devices should at the very least survive "obvious" attacks like SYN
> floods. Management ports should not become unusable simply
> because the
> device was flooded with bogus SYNs. (In this case syncookies
> would be a
> requirement)
>
> I cant begin to count the endless list of vendors who cant
> even meet that
> simple requirement.
>
> -Dan
> --
> [-] Omae no subete no kichi wa ore no mono da. [-]
>
>