[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: port blocking (was Re: CELP (was RE:) )
On 16-feb-04, at 19:01, Tim Shepard wrote:
As a side note, how is HIP going to allow port blocking? Will it avoid
worm attacks by its puzzle mechanism. I don't think it is possible
it can reduce its spawning speed.)
How does IPSEC allow port blocking? As far as I know, it does not.
the IKE exchange establishes a SA, ESP hides the TCP port numbers.
HIP has no better answer to this question than IPSEC, or any other
that provides for encryption between strangers.
"Having an encrypted conversation with a stranger may be like meeting
person in a dark alley. Whatever happens, there are no witnesses."
Why would anyone want to filter based on port numbers? It provides no
real security, just headaches. On the other hand, I can understand that
people are unconfortable having internal hosts communicate with
external ones without being able to see what's going on. A way to solve
this would be to include firewalls in the authentication and