Re: Simple Security - Layered Filtering should be in the document

[Iljitsch van Beijnum <iljitsch@muada.com>]

On 29 jul 2009, at 10:54, Gregory M. Lebovitz wrote:

> Point well taken in v4, Pekka. But the Internet is changing. There  
> wasn't tons of encapsulation layering in the past. It's becoming  
> more and more relevant now, and especially in v6. I'm sitting in  
> Softwires WG right now. Most of this is about tunneling one IP think  
> over another. We're on the 5 proposal now, or so.

> Conclusion: I don't think looking at what vendors have been doing  
> for the past 10 years is a good indicator of what is needed in the  
> next 10 years, because the networking is dramatically changing.

So what?

Let me reiterate a point that I made yesterday: you can't attack a  
host with an encapsulated packet unless the host is actively  
decapsulating. That's why it's not an issue to allow IPsec through: a  
host will simply ignore those packets unless it's interested in IPsec  
traffic to/from the remote host in the first place. So you can't do  
password brute forcing or exploit daemon vulnerabilities through  
encapsulated packets in the general case. And if the host is  
decapsulating, it obviously wants to receive those packets to provide  
some kind of utility to the user so then blocking them gets in the way  
of the user.

Also don't forget that today's hosts are well prepared to fend for  
themselves, they don't need firewalls like a pre-SP1 Windows XP  
machine does. If that weren't true there'd be a big "clean up your  
system after it has been compromised on the completely open IETF  
network" activity in the terminal room. Hosts connect to 3G or wifi  
networks that may or may not be firewalled all the time and that  
rarely creates problems that would be avoided by the type of filtering  
I'm seeing proposed in addition to what's already in the draft.