[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RRG] Renumbering... ACLs etc.
Hi Tony,
You wrote:
> Unfortunately, the practice of putting remote addresses into firewall ACLs
> is all too common. Of course, there's a name we have for sites that do
> this: pwned.
>
> That said, this is such a colossaly bad practice, that I would have no
> trouble supporting architectures that forced people to rethink this.
The hardware has to filter packets based on the IP addresses in the
header. It can't very well do some conversion from the IP address to
some FQDN like string of text and do a comparison on that - every
time a packet arrives.
So the router's filter needs an IP address - and perhaps a prefix
length as well.
If you want to be able to instruct the router in some other way than
an IP address, then I guess you would have to use a FQDN or
something else which can be resolved to an IP address by DNS or some
other system outside the router.
That involves several things:
Firstly, the resolution needs to be done by some robust,
secure, global mapping system - DNS or something else.
Secondly, the entity you want to refer to must have an
entry in that system.
Thirdly, that system must be updated when the entity to
be filtered changes its IP address.
Fourthly, the router needs to find this out ASAP, so it
can update its IP address.
So I think that in addition to specifying a FQDN or similar, you
would also need to specify a frequency of update - to tell the
router how often it should check with the DNS or whatever to convert
the FQDN or whatever into an IP address.
One problem is that the router could spend a lot of time doing these
DNS lookups, including for things it never in fact sees packets for.
How many routers are there in a network which need this IP address?
That could be a lot of DNS activity.
Another problem is that the filtering might not be just on an IP
address, but on the base address of a prefix, and a prefix length.
If that changes, then the global query server system can't just
return an IP address - it needs to return a prefix length too.
Maybe DNS could be updated to do this, or another mapping system
could do the job.
- Robin
--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg