[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Simple Security - Layered Filtering should be in the document

To: Gert Doering <gert@Space.Net>, "Gregory M. Lebovitz" <gregory.ietf@gmail.com>
Subject: RE: Simple Security - Layered Filtering should be in the document
From: Yaron Sheffer <yaronf@checkpoint.com>
Date: Fri, 31 Jul 2009 12:18:55 +0300
Accept-language: en-US
Acceptlanguage: en-US
Cc: Iljitsch van Beijnum <iljitsch@muada.com>, Shane Amante <shane@castlepoint.net>, Pekka Savola <pekkas@netcore.fi>, "v6ops@ops.ietf.org" <v6ops@ops.ietf.org>
In-reply-to: <20090731072740.GH79272@Space.Net>
References: <4a6f8b8b.0a1ad00a.2cb2.ffffcf87@mx.google.com> <alpine.LRH.2.00.0907291028310.18296@netcore.fi> <4a700e65.25e2660a.04e1.3841@mx.google.com> <04596BBA-8D7F-46A0-BC14-2E61A5779236@castlepoint.net> <4a70daeb.1aba720a.0d4f.ffffaa18@mx.google.com> <A3D24F72-5F71-4619-9736-0C0B61E14134@muada.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC80133E557CD17@il-ex01.ad.checkpoint.com> <552C077C-34BC-48A4-B9C2-E1888DD8C8ED@muada.com> <4a729592.09a1660a.2552.ffff8b68@mx.google.com> <20090731072740.GH79272@Space.Net>

Hi Gert,

Your argument is valid today. But once any tunnel-based transition mechanism
is standardized and widely adopted by commercial operating systems, there
will be untunneling done by default, with no security mechanisms attached.
Note that IPsec requires access control from all implementations, but other
mechanisms don't. So suddenly you have to be wary of "tunneled burglars",
too.

Thanks,
	Yaron

> -----Original Message-----
> From: Gert Doering [mailto:gert@Space.Net]
> Sent: Friday, July 31, 2009 9:28
> To: Gregory M. Lebovitz
> Cc: Iljitsch van Beijnum; Yaron Sheffer; Shane Amante; Pekka Savola;
> v6ops@ops.ietf.org
> Subject: Re: Simple Security - Layered Filtering should be in the document
> 
> Hi,
> 
> On Thu, Jul 30, 2009 at 11:56:17PM -0700, Gregory M. Lebovitz wrote:
> > Sure. If all the valuable possessions in my home were unremovably
> > bolted to the floor, and it was impossible for anyone without the
> > retinal patterns and fingerprints of my direct family and invited
> > friends to tough any of those things, then yes, I would have no need
> > for the locks on my home's doors. Likewise, if hosts were perfect at
> > protecting themselves and the network infrastructure between them
> > across all subnets, then there would be no need for network perimeter
> > filters.
> 
> That's actually missing the point.
> 
> This analogy isn't going to work as you would need to envision a
> "tunneled" burglar who would only be able to steal or touch enything
> if there is someone inside who "un-tunnels" the burglar.
> 
> On all common OSes, a tunneled packet will just be ignored unless a
> specific un-tunneling device is configured - and if you configure
> such an interface, it's reasonable to assume that you want to receive
> these packets (IPSEC comes to mind).
> 
> Don't forget we're not talking about enterprise maximum
> annoyance^Wsecurity
> policy enforcement devices but about "simple security for home networks".
> 
> Gert Doering
>         -- NetMaster
> --
> Total number of prefixes smaller than registry allocations:  128645
> 
> SpaceNet AG                        Vorstand: Sebastian v. Bomhard
> Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-
> Culemann
> D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
> Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279
> 
> Scanned by Check Point Total Security Gateway.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Follow-Ups:
- Re: Simple Security - Layered Filtering should be in the document
  - From: Gert Doering <gert@space.net>
- Re: Simple Security - Layered Filtering should be in the document
  - From: james woodyatt <jhw@apple.com>

References:
- Fwd: Simple Security - Layered Filtering should be in the document
  - From: "Gregory M. Lebovitz" <gregory.ietf@gmail.com>
- Re: Fwd: Simple Security - Layered Filtering should be in the document
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: Fwd: Simple Security - Layered Filtering should be in the document
  - From: "Gregory M. Lebovitz" <gregory.ietf@gmail.com>
- Re: Simple Security - Layered Filtering should be in the document
  - From: Shane Amante <shane@castlepoint.net>
- Re: Simple Security - Layered Filtering should be in the document
  - From: "Gregory M. Lebovitz" <gregory.ietf@gmail.com>
- Re: Simple Security - Layered Filtering should be in the document
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- RE: Simple Security - Layered Filtering should be in the document
  - From: Yaron Sheffer <yaronf@checkpoint.com>
- Re: Simple Security - Layered Filtering should be in the document
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: Simple Security - Layered Filtering should be in the document
  - From: "Gregory M. Lebovitz" <gregory.ietf@gmail.com>
- Re: Simple Security - Layered Filtering should be in the document
  - From: Gert Doering <gert@space.net>

Prev by Date: Re: in-addr.arpa. in DHCPv6-PD scenario
Next by Date: Re: Simple Security - Layered Filtering should be in the document
Previous by thread: Re: Simple Security - Layered Filtering should be in the document
Next by thread: Re: Simple Security - Layered Filtering should be in the document
Index(es):
- Date
- Thread