[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Simple Security - Layered Filtering should be in the document

To: "Gregory M. Lebovitz" <gregory.ietf@gmail.com>
Subject: Re: Simple Security - Layered Filtering should be in the document
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Thu, 30 Jul 2009 14:14:55 +0200
Cc: Shane Amante <shane@castlepoint.net>, Pekka Savola <pekkas@netcore.fi>, v6ops@ops.ietf.org
In-reply-to: <4a70daeb.1aba720a.0d4f.ffffaa18@mx.google.com>
References: <4a6f8b8b.0a1ad00a.2cb2.ffffcf87@mx.google.com> <alpine.LRH.2.00.0907291028310.18296@netcore.fi> <4a700e65.25e2660a.04e1.3841@mx.google.com> <04596BBA-8D7F-46A0-BC14-2E61A5779236@castlepoint.net> <4a70daeb.1aba720a.0d4f.ffffaa18@mx.google.com>

On 30 jul 2009, at 1:27, Gregory M. Lebovitz wrote:

if tunneling is the default avenue for building new protocols, thenyou can bet the under ground economy attack authors are going to beforming exploits on them. Which is why customers need tools that areable to block them


Surprisingly, that doesn't necessarily follow.

What's needed is a mechanism to protect hosts from packets that:

1. They have no interest in receiving
2. Could harm them

Note that this is a weaker proposition than in a corporateenvironment, where the local interest in receiving packets is not arelevant factor. However, in a home environment we must allow users tobe stupid if they so choose.

As far as I know, there are no existing <something>-in-IPv6encapsulations that mainstream OSes decapsulate by default. So anyencapsulated packets will be dropped on the floor by a typical Windowsor MacOS box, and as such there is no need to spend cycles to filterthem out.

if so desired

Of course going beyond what's in the draft is always a possibility,but that has to require an explicit action by the user, we need tohave a standard level of permeability so the makers of peer-to-peerapplications have a standardized way in.

I know there is a school of thinking that says incoming packets of anykind except ones explicitly desired by the host as shown by previousoutgoing packets are unacceptable, but the consequence of that line ofthought is that many classes of peer-to-peer applications becomeimpossible. In this situation, only a simultaneous open can work, andthese require a control channel and are notoriously hard to get right.

However, I would love to apply such a policy to my mailboxes, both theelectronic and dead tree types.

Follow-Ups:
- RE: Simple Security - Layered Filtering should be in the document
  - From: Yaron Sheffer <yaronf@checkpoint.com>

References:
- Fwd: Simple Security - Layered Filtering should be in the document
  - From: "Gregory M. Lebovitz" <gregory.ietf@gmail.com>
- Re: Fwd: Simple Security - Layered Filtering should be in the document
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: Fwd: Simple Security - Layered Filtering should be in the document
  - From: "Gregory M. Lebovitz" <gregory.ietf@gmail.com>
- Re: Simple Security - Layered Filtering should be in the document
  - From: Shane Amante <shane@castlepoint.net>
- Re: Simple Security - Layered Filtering should be in the document
  - From: "Gregory M. Lebovitz" <gregory.ietf@gmail.com>

Prev by Date: Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
Next by Date: Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
Previous by thread: Re: Simple Security - Layered Filtering should be in the document
Next by thread: RE: Simple Security - Layered Filtering should be in the document
Index(es):
- Date
- Thread