[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [RRG] Renumbering... ACLs etc.



Robin,

I think you're missing the point: having a firewall filter on ANY field set
by a correspondent that cannot be strongly authenticated is simply asking
for trouble.  

To date, folks have claimed that the return routability of the address was
'enough' security.  However, that depends on routing being secure.  I hope
the folks in this group are aware of the reality in that regard.

Tony


|-----Original Message-----
|From: Robin Whittle [mailto:rw@firstpr.com.au] 
|Sent: Sunday, August 17, 2008 9:00 AM
|To: Routing Research Group
|Cc: tony.li@tony.li
|Subject: Re: [RRG] Renumbering... ACLs etc.
|
|Hi Tony,
|
|You wrote:
|
|> Unfortunately, the practice of putting remote addresses into 
|firewall ACLs
|> is all too common.  Of course, there's a name we have for 
|sites that do
|> this: pwned.
|> 
|> That said, this is such a colossaly bad practice, that I 
|would have no
|> trouble supporting architectures that forced people to rethink this.
|
|The hardware has to filter packets based on the IP addresses in the
|header. It can't very well do some conversion from the IP address to
|some FQDN like string of text and do a comparison on that - every
|time a packet arrives.
|
|So the router's filter needs an IP address - and perhaps a prefix
|length as well.
|
|If you want to be able to instruct the router in some other way than
|an IP address, then I guess you would have to use a FQDN or
|something else which can be resolved to an IP address by DNS or some
|other system outside the router.
|
|That involves several things:
|
|  Firstly, the resolution needs to be done by some robust,
|  secure, global mapping system - DNS or something else.
|
|  Secondly, the entity you want to refer to must have an
|  entry in that system.
|
|  Thirdly, that system must be updated when the entity to
|  be filtered changes its IP address.
|
|  Fourthly, the router needs to find this out ASAP, so it
|  can update its IP address.
|
|So I think that in addition to specifying a FQDN or similar, you
|would also need to specify a frequency of update - to tell the
|router how often it should check with the DNS or whatever to convert
|the FQDN or whatever into an IP address.
|
|One problem is that the router could spend a lot of time doing these
|DNS lookups, including for things it never in fact sees packets for.
| How many routers are there in a network which need this IP address?
| That could be a lot of DNS activity.
|
|Another problem is that the filtering might not be just on an IP
|address, but on the base address of a prefix, and a prefix length.
|
|If that changes, then the global query server system can't just
|return an IP address - it needs to return a prefix length too.
|Maybe DNS could be updated to do this, or another mapping system
|could do the job.
|
|
| - Robin
|
|


--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg