> My point here is that the principal objection being raised to NAT, the
> limitation on network connectivity is precisely the reason why it is
> beneficial.
>
> There is no other device that can provide me with a lightweight firewall for
> $50.
other reponses gave you some good news.
> Same can be said of IPv6.
>
> We have a lot of really good ways of avoiding issues we don't like:
> complexity, accessibility, limited access in third world countries.
>
> Unless the arguments are applied consistently they should not be made at all.
> Otherwise they just become special pleading.
well, you can say this for IPv4, or operating systems which does not
have enough history. for the record, KAME group found a bug in IPv4
options handling, rooted in Net/1 timeframe, in year 2000. so i use
operating systems which has its roots in 1970s only :-P
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_input.c
revision 1.132
> As I told Bruce Schneier after his silly IPSEC and Certification Authority
> papers, security is risk control, not risk elimination.
>
> It is not helpful to criticise a security measure that empirically offers a
> high degree of security for failing to address cases it is not designed to
> deal with. An HTTP server behind a NAT box is no HTTP server and thus no
> threat.
>
> In a full default deny infrastructure I can allow the HTTP server external
> access and deal with issues such as HTTP server corruption by requiring the
> HTTP server to run in an isolated O/S partition so that compromise of the
> server cannot lead to compromise of the host.
i can understand your point about "security is risk control". we trust
16-digit credit cards as credit card companies have $$$ insurance in
the back. ATM machines and credit card CAT systems use stone age
technology called MODEM, so wiretapping them should be less than
trivial for those who read the "2600 magazine".
however, we are internet engineers, aren't we? we are not forced
to use modems, and even if we use modems, we put IP layer on top.
do check Steve Deering's "hour glass" presentation if you missed it.
http://www3.ietf.org/proceedings/01aug/slides/plenary-1/index.htm
and, not to offend Verisign or anything, and really a off topic,
but i still believe PKI and other tree-based authentication technology
does not scale enough.
since we need to install keys for famous certificate authorities into
the browsers, it became more difficult for small free software people
to implement/distribute HTTPS capable browsers without hitting the
problem "we do not have CA key for Amazon.com".
> I can shut down 95% of existing botnets using reverse firewalls. I have yet
> to find a legitimate network use with an access pattern that remotely
> resembles the access patern of a production botnet.
>
> The approach I propose in the dotCrime Manifesto is that by default the
> newtork access point throttles outgoing SYN and DNS requests to some large
> number that is well short of the needs of spammers, DDoS SYN flooding etc.
so you install both forward and reverse firewalls, then what kind
of communication would you permit? :-P
> > OSes have to be secured by default, that's all.
>
> Linux is ten million odd lines of code. When you have more than a million
> lines of code you can be certain that at least 50% of the people working on
> it were below average in talent. Vista is ten times bigger.
>
> We simply don't know how to build a secure operating system today.
well, you are using OSes which are not in AT&T UNIX family tree so you
are in the wrong world. sorry Microsoft guys, i do try hard not to
offend you :-P
http://www.freebsd.org/cgi/cvsweb.cgi/src/share/misc/bsd-family-tree
> The 'security through obscurity' argument is bogus.
>
> Back in the early 1990s people were arguing AGAINST the use of shaddow
> passwords in UNIX on the grounds that they give a 'false sense of security'.
>
> I agree that most enterprises have an exagerated idea of what perimeter
> security can do for them, but that does not mean that the solution is to drop
> all the firewalls. That is not what is being discussed when people are
> talking about deperimeterization.
funny that you say "obscurity". i would say that NAT is the obscurity
device. if you are in Linux camp you know that RMS does not use
password at all. but i'm in OpenBSD camp so i randomize/encrypt every
single bit of information i use, even process IDs are random.
i do not trust MD5 password. i use Blowfish-based password developed
by Niels Provos. i think i am more paranoid than most of Verisign
guys, modulo those who are managing the root CA key in the secret vault
in a data center which i cannot guess the location.
http://www.usenix.org/events/usenix99/provos.html
> There is no individual security control that cannot be trumped. Host based
> security can be disabled if the host is compromised. We don't yet have the
> trustworthy systems we need to prevent that attack.
>
> There is no individual security control that cannot be trumped, but we can
> deploy combinations of security controls that make it very much harder for an
> attacker to succeed.
if you install secure OSes to the end clients, you do not have to
worry about the infection by worms almost forever. you just need to
adjust youself to use MagicPoint instead of PowerPoint, and use
vi/roff/TeX instead of MS Word.
itojun
_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf
