IETF Logo Mail Archive

Re: ISMS working group and charter problems

Iljitsch van Beijnum <iljitsch@muada.com> Tue, 06 September 2005 23:34 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ECmxj-0006xc-AL; Tue, 06 Sep 2005 19:34:47 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ECmxh-0006uj-MJ for ietf@megatron.ietf.org; Tue, 06 Sep 2005 19:34:45 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA15805 for <ietf@ietf.org>; Tue, 6 Sep 2005 19:34:42 -0400 (EDT)
Received: from sequoia.muada.com ([83.149.65.1]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ECn0l-0001Pn-KW for ietf@ietf.org; Tue, 06 Sep 2005 19:37:56 -0400
Received: from [172.16.1.7] (82-192-90-30.leasedsl.net [82.192.90.30]) (authenticated bits=0) by sequoia.muada.com (8.13.3/8.13.3) with ESMTP id j86NYASr070320 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO); Wed, 7 Sep 2005 01:34:11 +0200 (CEST) (envelope-from iljitsch@muada.com)
In-Reply-To: <20050906230450.9BB1E3BFD6F@berkshire.machshav.com>
References: <20050906230450.9BB1E3BFD6F@berkshire.machshav.com>
Mime-Version: 1.0 (Apple Message framework v734)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <E8014931-944D-42C9-A950-F3B1CFB1B0C5@muada.com>
Content-Transfer-Encoding: 7bit
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Wed, 07 Sep 2005 01:34:17 +0200
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
X-Mailer: Apple Mail (2.734)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: e5ba305d0e64821bf3d8bc5d3bb07228
Content-Transfer-Encoding: 7bit
Cc: IETF Discussion <ietf@ietf.org>
Subject: Re: ISMS working group and charter problems
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

On 7-sep-2005, at 1:04, Steven M. Bellovin wrote:

>> Either the firewall
>> successfully blocks the protocol and the firewall works and the
>> protocol doesn't, or the firewall doesn't manage to block the
>> protocol and the protocol works but the firewall doesn't. So whatever
>> happens, someone is going to be unhappy.

> Not at all.  Often, a firewall needs to know a fair amount about the
> protocol to do its job.  FTP is the simplest case -- it has to look  
> for
> the PORT (and, in some configuration, the PASV) command.  H.323 and  
> SIP
> are more complex.

I'm not very comfortable with the notion of having a third party  
device deciding what is valid communication between two hosts  
connected to the internet. This is just too fragile. For instance, a  
popular filter on *BSD (they're all named [i]pf[w] so I can never  
remember which is which) is unable to handle RFC 1323 window scaling  
properly. PIX firewalls truncate(d) EDNS0 packets. ICMP packet too  
bigs are filtered in many places, as is ECN.

I recognize that carrying all existing firewalls to the scrap heop  
won't immediately solve our problems, but we do have to realize that  
current filter practice do almost as much harm as they do good. We  
really need better stuff here.

(It's amusing to see that to some people, security means encrypting  
their communication, while to others it means inspecting that same  
communication.)

_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email