[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: I-D Publication Request: draft-ietf-netconf-soap-05.txt
Hi,
The point I was trying to make is that if NetConf shares port 80
with other applications, then ANY denial-of-service attack against
port 80 blocks ALL of those applications (including the important
NetConf for system management purposes).
If you use a dedicated port, then much simpler protection can be
performed. And NetConf doesn't wind up sharing port 80 with the
embedded Web server that is often (unwisely?) included in pieces
of network infrastructure equipment.
Cheers,
- Ira
Ira McDonald (Musician / Software Architect)
Blue Roof Music / High North Inc
PO Box 221 Grand Marais, MI 49839
phone: +1-906-494-2434
email: imcdonald@sharplabs.com
> -----Original Message-----
> From: Juergen Schoenwaelder [mailto:j.schoenwaelder@iu-bremen.de]
> Sent: Monday, July 11, 2005 3:53 PM
> To: Ted Goddard
> Cc: McDonald, Ira; 'Sharon Chisholm'; netconf
> Subject: Re: I-D Publication Request: draft-ietf-netconf-soap-05.txt
>
>
> On Mon, Jul 11, 2005 at 11:02:04AM -0600, Ted Goddard wrote:
>
> > Why can't the firewall simply drop all requests to the NETCONF URL
> > if the origin of those requests is on a list of attackers?
> This seems
> > more expensive to process (string comparison vs integer comparison)
> > but not fundamentally less secure.
>
> I think Ira was pointing to my Linux kernel which is pretty good in
> filtering packets based on port numbers but rather bad in filtering
> SOAP requests by URL or something like that.
>
> /js
>
> --
> Juergen Schoenwaelder International University Bremen
> <http://www.eecs.iu-bremen.de/> P.O. Box 750 561,
> 28725 Bremen, Germany
>
--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>