IETF Logo Mail Archive

Re: I-D.ietf-v6ops-cpe-simple-security-09

Fred Baker <fred@cisco.com> Sat, 20 March 2010 19:56 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 56A113A6956 for <ietfarch-v6ops-archive@core3.amsl.com>; Sat, 20 Mar 2010 12:56:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -108.849
X-Spam-Level:
X-Spam-Status: No, score=-108.849 tagged_above=-999 required=5 tests=[AWL=-1.484, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_HI=-8, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ycDlonu6Grxk for <ietfarch-v6ops-archive@core3.amsl.com>; Sat, 20 Mar 2010 12:56:10 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 8C1F73A6943 for <v6ops-archive@lists.ietf.org>; Sat, 20 Mar 2010 12:56:09 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1Nt4jw-0007th-9C for v6ops-data0@psg.com; Sat, 20 Mar 2010 19:53:44 +0000
Received: from [171.68.10.87] (helo=sj-iport-5.cisco.com) by psg.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.71 (FreeBSD)) (envelope-from <fred@cisco.com>) id 1Nt4jp-0007s5-DT for v6ops@ops.ietf.org; Sat, 20 Mar 2010 19:53:37 +0000
Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-AV: E=Sophos;i="4.51,279,1267401600"; d="scan'208";a="169659756"
Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-5.cisco.com with ESMTP; 20 Mar 2010 19:53:36 +0000
Received: from stealth-10-32-244-218.cisco.com (stealth-10-32-244-218.cisco.com [10.32.244.218]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id o2KJra53004993; Sat, 20 Mar 2010 19:53:36 GMT
Subject: Re: I-D.ietf-v6ops-cpe-simple-security-09
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
From: Fred Baker <fred@cisco.com>
In-Reply-To: <4BA524A8.9020201@cisco.com>
Date: Sat, 20 Mar 2010 12:53:36 -0700
Cc: james woodyatt <jhw@apple.com>, IPv6 Operations <v6ops@ops.ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <D6BE2A3C-57BD-486D-B9C6-382B42FA4A67@cisco.com>
References: <D6F5ACD2-EB43-477E-9F48-AC3EDB3F7EB4@apple.com> <4BA3BBCF.2090903@cisco.com> <4BA3D1B3.4010501@gmail.com> <9EEBEB1D-8D88-45DB-9200-EBE2ED0D84CF@apple.com> <4BA524A8.9020201@cisco.com>
To: Mark Townsley <townsley@cisco.com>
X-Mailer: Apple Mail (2.1077)
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

On Mar 20, 2010, at 12:40 PM, Mark Townsley wrote:

> Rate-limiting unsolicited inbound connections rather than rejecting them provides greater end-to-end transparency while still providing protection against address and port scanning attacks as well as overloading of slow links or devices within the home.

SIlly question. Why do you believe that? An address or port scanning attack is not intended to overload a network, it is intended to find an address port that can be used or attacked. Making the scan take more time doesn't prevent it from reaching its target. In what way does rate limiting an address or port scan provide protection?

http://www.ipinc.net/IPv4.GIF

v2.23.0 | Report a Bug | By Email