[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RRG] Renumbering... ACLs etc.

To: 'Routing Research Group' <rrg@psg.com>
Subject: Re: [RRG] Renumbering... ACLs etc.
From: "Joel M. Halpern" <jmh@joelhalpern.com>
Date: Mon, 18 Aug 2008 07:07:53 -0400
In-reply-to: <67E6708E2BB24C6BB849B0971A2D24ED@ad.redback.com>
References: <20080816165144.2FAD66BE5BD@mercury.lcs.mit.edu> <E11E2692-3853-4F87-ADC2-A44334378026@nomadiclab.com> <67FD447745684B4F98360E7117C779B4@ad.redback.com> <48A84B03.2050209@firstpr.com.au> <A0C4C5EB5B1D4E4C8C781CF4789F26D8@ad.redback.com> <48A8D82F.8020507@firstpr.com.au> <67E6708E2BB24C6BB849B0971A2D24ED@ad.redback.com>
User-agent: Thunderbird 2.0.0.16 (Windows/20080708)

I wish I could agree not just with the "should" but with "we canpersuade them to." I worked behind an actively managed and supervisedfirewall for a while. They had a quite strict security policy in place.Their policy was to block all inbound connections to their VPN deviceunless those connections, and the IP addresses for them, had beenexplicitly authorized.Yes, they know that IP addresses can be spoofed. But this sort offiltering made the barrier to penetrating the firewall significantlyhigher. (It meant I could not use the VPN, as they would not authorizeany dynamic IP addresses.)Trying to tell them that their policy is wrong, and that they can not dothat, is not going to work. We have to provide them something else toget the same capability if we do not want them using locators for this.


Yours,
Joel

PS: The one we ought to be able to persuade folks to fix is the "trick"of tying software licenses to server IP addresses.


Tony Li wrote:

Hi Robin,


|OK - I understand that you are suggesting that the routers not
|filter by IP address at all, but by "something else".


Not exactly.  What I'm suggesting is that firewalls cannot reliably filter
on any remote information.  It will be spoofed unless it's strongly
authenticated, such as an IPsec tunnel.

They *can* reasonably filter on local information (e.g., destination IP
address, destination port, protocol, destination identifier, destination
locator).  These are under the control of the local administration and can
conceivably be well coordinated.

Tony


--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg


--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg

Follow-Ups:
- Re: [RRG] Renumbering... ACLs etc.
  - From: Eliot Lear <lear@cisco.com>

References:
- Re: [RRG] Renumbering...
  - From: jnc@mercury.lcs.mit.edu (Noel Chiappa)
- Re: [RRG] Renumbering...
  - From: Christian Vogt <christian.vogt@nomadiclab.com>
- RE: [RRG] Renumbering...
  - From: "Tony Li" <tony.li@tony.li>
- Re: [RRG] Renumbering... ACLs etc.
  - From: Robin Whittle <rw@firstpr.com.au>
- RE: [RRG] Renumbering... ACLs etc.
  - From: "Tony Li" <tony.li@tony.li>
- Re: [RRG] Renumbering... ACLs etc.
  - From: Robin Whittle <rw@firstpr.com.au>
- RE: [RRG] Renumbering... ACLs etc.
  - From: "Tony Li" <tony.li@tony.li>

Prev by Date: Re: [RRG] Renumbering... ACLs etc.
Next by Date: Re: [RRG] Renumbering... ACLs etc.
Previous by thread: RE: [RRG] Renumbering... ACLs etc.
Next by thread: Re: [RRG] Renumbering... ACLs etc.
Index(es):
- Date
- Thread