[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Dropping stealthing from opsec; Anyone for a little I>R<TF wo rk ?

To: James Carlson <james.d.carlson@sun.com>
Subject: Re: Dropping stealthing from opsec; Anyone for a little I>R<TF wo rk ?
From: ericb@digitaljunkyard.net
Date: 31 Jul 2003 22:56:47 +0000
Cc: gmj@pobox.com, opsec@ops.ietf.org
In-reply-to: <16169.33411.653795.429866@gargle.gargle.HOWL>
References: <2D00AD0E4D36D411BD300008C786E4240D5590A0@Denntex021.qwest.net><Pine.LNX.4.53.0307311631090.17107@mall.pulltheplug.com><16169.33411.653795.429866@gargle.gargle.HOWL>
User-agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley)

 "jc" == James Carlson <james.d.carlson@sun.com> writes:

jc> George Jones writes:
>> Sorry....I guess I should have been more clear...the goal IS to
>> make the core invisible beyond the edge.

jc> I'm not sure I understand the point of this[1], but please do consider
jc> the effect of such a plan on path MTU discovery.  The ICMP messages
jc> from within the core do need to make it out to the sender in _some_
jc> form.

Path MTU Discovery should not really be needed on modern Internet
backbones.  Every path I've taken in recent times has made it across
the backbone without chunking down from the Ethernet max.  If there's
a bottleneck, it's outside the core.

jc> [1] It's not just to hide the IP addresses, is it?  That'd just be
jc>    security-by-obscurity.  I don't think that treating IP addresses
jc>    as secrets is a viable plan.

Think of the phone network.  When's the last time a kid successfully
whistled 2600?  You don't see red boxes around anymore.  Do you have
ANY idea what the path of the last long distance call you made was?

The Internet (in a very tall Ivory Tower sort of way) should be the
same.  You should buy service, and inject packets into the cloud.
They should come out near your destination.  And you should neither
know nor care what path your packets took.

In reality, the Internet is packet switched, rather than circuit
switched, so there is a lot more routing going on.  And you only have
access to layer 7 on the phone network.  You have access to layer 3
and above on the Internet.

You don't know the MAC address of a switch in the middle of Google's
datacenter, and you don't care.  Heck, you can't even find out what it
is without either breaking one of their boxes or abusing protocols in
interesting ways.  Similarly, you don't know the path that your packet
took, how their HSRP is working today, or what STP has pruned this
time.

So as long as everything works the way that it should (which is a huge
caveat), you neither know nor care what IP path your packets take
across the core.  It's just a huge black cloud, and you cannot whistle
2600.

ericb

References:
- RE: Dropping stealthing from opsec; Anyone for a little I>R<TF work ?
  - From: "Smith, Donald" <Donald.Smith@qwest.com>
- RE: Dropping stealthing from opsec; Anyone for a little I>R<TF work ?
  - From: George Jones <gmj@pobox.com>
- RE: Dropping stealthing from opsec; Anyone for a little I>R<TF work ?
  - From: James Carlson <james.d.carlson@sun.com>

Prev by Date: Re: Dropping stealthing from opsec; Anyone for a little I>R<TF wo rk ?
Next by Date: Re: Ability to withstand well known attacks (fwd)
Previous by thread: RE: Dropping stealthing from opsec; Anyone for a little I>R<TF work ?
Next by thread: RE: Dropping stealthing from opsec; Anyone for a little I>R<TF wo rk ?
Index(es):
- Date
- Thread