On Tue, 2010-04-20 at 12:59 -0700, Owen DeLong wrote:
> On Apr 20, 2010, at 12:31 PM, Roger Marquis wrote:
> > NAT _always_ fails-closed
> Stateful Inspection can be implemented fail-closed.

Not to take issue with either statement in particular, but I think there
needs to be some consideration of what "fail" means.

Dealing with an unwanted but foreseeable error condition, like running
out of memory, is not a failure mode. It is a controlled event. NOT
dealing with it is a failure mode.

So a properly written program (or properly constructed device) will deal
with whatever error conditions the designer was able to anticipate, and
will hopefully deal with them intelligently. Power failure and physical
damage are harder to handle than others, but on high-end equipment even
some of those are considered and managed. Ideally the designer will have
considered all conditions that can possibly arise, but the ideal is not
achievable. There will *always* be conditions a program or device is
unable to handle or possibly even detect.

When a situation arises that is beyond the control of the program or
device, was not anticipated by the designer, or if the designer made a
mistake, we enter the realm of an actual failure. And all bets are off.
NAT (for example) could fail in any way at all - including by (say)
inappropriately sharing a mapping. If processes are running on a shared
platform - say NAT, routing and packet filtering - failure of any part
could cause failure of any other part. In some cases (I seem to recall
that recent Californian power failures were an example) the error
handling itself can cause another error condition and another
opportunity for failure.

Reading through the security alerts from any vendor is a pretty sobering
process - stuff fails open more often than you might expect.

So I think we should be very cautious about saying that things "fail
open" or "fail closed".

We should be especially cautious about it when the functionality we are
interested in is really no more than a happy side effect of some other
functionality. NAT's "security", to the extent that it exists at all, is
a side effect of what it is intended to do, which is translate and map

Regards, K.

Karl Auer (ka...@biplane.com.au)                   +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/                  +61-428-957160 (mob)

GPG fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
Old fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to