On Sun, Mar 19, 2000 at 07:40:35PM -0500, Michael H. Warfield wrote:
> On Sun, Mar 19, 2000 at 09:14:37PM +0000, Steve Dodd wrote:
> > But stateful routers aren't. Excuse me while I blunder around in your
> > machine room and trip over the power lead to your router <g>
> And that has what to do with the price of tea in china?
It was a flip remark designed to indicate that reliability is a problem.
Probably a poor choice.
> Stateful filtering in routers, firewalls, or host interfaces is
> almost certainly a good thing considering the insecurity of most of the
> alternatives. The secure alternative on a firewall would be proxies.
I have to admit to limited experience with filtering. However, I'd imagine
that a regular stateful filter would (i) pass packets which it didn't have
enough info to block (i.e. packets forming part of a connection that was
already established when the router was powered up), and (ii) not necessarily
alter the contents of the packets. (ii) (what the "PIX" device described
earlier was doing) is the problem. It's mangling the packets in a way which
requires it to hold state. I'm sure there are situations where it would be
useful, perhaps as a short term measure. So I'm not saying that "stateful
filtering" is bad, but I do think that "stateful rewriting" is something that
needs to be thought about very carefully before being used.
> Secure, yes, but a dubious performance hog at the very least... And excuse
> me while I blunder around in your machine room and trip over the power
> lead to your [proxy firewall of choice].
I'm not arguing against stateful filtering, and I'm certainly not arguing for
application-level proxies/relays. I was arguing against munging packet headers
(particularly in a way requiring state) in routers, if you can possibly help
it.
> The comment was inane.
True. I'm no great wit, I'm afraid, and should know by now to avoid attempts
at humour :-/
More interestingly, I need to read up on IPsec. If it operates at the IP level,
as I imagine, then TCP sequence numbers would end up being encrypted or signed.
A sequence number rewriting device should break this quite nicely. I believe
there's at least one RFC which discusses the advantages of end-to-end
transparency, and they certainly made sense (and seemed important) to me last
time I read it.
[..]
--
Fortune: You will be attacked next Wednesday at 3:15 p.m. by six samuri
sword wielding purple fish glued to Harley-Davidson motorcycles.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
