Re: I-D.ietf-v6ops-cpe-simple-security-09
Fred Baker <fred@cisco.com> Sat, 20 March 2010 22:57 UTC
Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 91C8C3A694C for <ietfarch-v6ops-archive@core3.amsl.com>; Sat, 20 Mar 2010 15:57:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.472
X-Spam-Level:
X-Spam-Status: No, score=-109.472 tagged_above=-999 required=5 tests=[AWL=-2.107, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_HI=-8, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kW8FNd6mLdiJ for <ietfarch-v6ops-archive@core3.amsl.com>; Sat, 20 Mar 2010 15:57:23 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 8D6A43A6857 for <v6ops-archive@lists.ietf.org>; Sat, 20 Mar 2010 15:56:58 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1Nt7aI-00070W-L4 for v6ops-data0@psg.com; Sat, 20 Mar 2010 22:55:58 +0000
Received: from [171.68.10.86] (helo=sj-iport-4.cisco.com) by psg.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.71 (FreeBSD)) (envelope-from <fred@cisco.com>) id 1Nt7aD-000709-M3 for v6ops@ops.ietf.org; Sat, 20 Mar 2010 22:55:54 +0000
Authentication-Results: sj-iport-4.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-AV: E=Sophos;i="4.51,280,1267401600"; d="scan'208";a="103390388"
Received: from sj-core-3.cisco.com ([171.68.223.137]) by sj-iport-4.cisco.com with ESMTP; 20 Mar 2010 22:55:53 +0000
Received: from stealth-10-32-244-218.cisco.com (stealth-10-32-244-218.cisco.com [10.32.244.218]) by sj-core-3.cisco.com (8.13.8/8.14.3) with ESMTP id o2KMtqHp024411; Sat, 20 Mar 2010 22:55:53 GMT
Subject: Re: I-D.ietf-v6ops-cpe-simple-security-09
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
From: Fred Baker <fred@cisco.com>
In-Reply-To: <4BA55147.601@cisco.com>
Date: Sat, 20 Mar 2010 15:55:52 -0700
Cc: james woodyatt <jhw@apple.com>, IPv6 Operations <v6ops@ops.ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F0FDFF3D-F703-422A-9443-D6F723FB034C@cisco.com>
References: <D6F5ACD2-EB43-477E-9F48-AC3EDB3F7EB4@apple.com> <4BA3BBCF.2090903@cisco.com> <4BA3D1B3.4010501@gmail.com> <9EEBEB1D-8D88-45DB-9200-EBE2ED0D84CF@apple.com> <4BA524A8.9020201@cisco.com> <D6BE2A3C-57BD-486D-B9C6-382B42FA4A67@cisco.com> <4BA55147.601@cisco.com>
To: Mark Townsley <townsley@cisco.com>
X-Mailer: Apple Mail (2.1077)
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>
>>> Rate-limiting unsolicited inbound connections rather than rejecting them provides greater end-to-end transparency while still providing protection against address and port scanning attacks as well as overloading of slow links or devices within the home. >>> >> SIlly question. Why do you believe that? An address or port scanning attack is not intended to overload a network, it is intended to find an address port that can be used or attacked. > The sentence is referencing two different things. One, the possibility that uninvited packets might overload some device or slow link (something I consider unlikely, but has been identified as a concern by some), the other is, indeed, designed to make blind port and address scanning less likely to succeed in a given amount of time. > > - Mark >> Making the scan take more time doesn't prevent it from reaching its target. In what way does rate limiting an address or port scan provide protection? With all due respect, when I set up security for my home or office, and when Cisco InfoSec sets up security for its home offices (of which mine is one), they're not asking about making an attack take ten minutes vs five. They're asking about preventing an attack from succeeding. Now, we can discuss the logic of the notion that "the bad guys are out there and the good guys are in here", but given the assumption, we need to be rational about the threats we are trying to prevent from succeeding.
- I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Ole Troan
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- RE: I-D.ietf-v6ops-cpe-simple-security-09 STARK, BARBARA H (ATTLABS)
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Fwd: I-D.ietf-v6ops-cpe-simple-security-09 - ICMP… Rémi Després
- Re: I-D.ietf-v6ops-cpe-simple-security-09 - ICMP … james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 - ICMP … Rémi Després
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Shane Amante
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Cameron Byrne
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Gert Doering
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Status of RFC 4864 (was Re: I-D.ietf-v6ops-cpe-si… Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Ole Troan
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter