On Fri, 7 May 2004 23:03:02 +0200 Iljitsch van Beijnum <iljitsch@xxxxxxxxx> wrote: > On 7-mei-04, at 21:51, Christian Huitema wrote: > > > The old assumption used to be that if a host has an IP > > address, it can receive pretty much any packet sent to that > > address. The practical situation we have today is that if two > > hosts communicate over a given protocol and port, they can > > receive packets from the same "five tuple" but are not > > guaranteed to receive other packets. This has an important > > consequence for many IETF designed protocols, including > > indeed path MTU discovery. > > So you are saying that when a host sends out an IP packet with > the DF bit set, it's ok for that host (or any system on the > path to that host) to filter out ICMP "fragmentation needed but > DF bit set" messages? > > Filtering on protocol/port numbers is a broken concept. When > are we going to take the time to come up with a *real* security > architecture? One that allows hosts to receive wanted packets > and reject unwanted ones, I've only read the abstract, however Steve Bellovin's "Distributed Firewalls" (http://www.research.att.com/~smb/papers/distfw.html) seems to suggest exactly that. Interestingly, with all the recent attacks on Microsoft software, they seem to be going down this distributed firewalls path, where each host has a firewall. I'm not sure if they are aware of Steve's paper, or whether it is a result of these worms almost always seeming to be being able to bypass any network based security in place anyway. I'd suspect the latter. Linux and other OSs have already have firewalls built in, so maybe we are seeing an unplanned and evolutionary transition to this model. rather than the current one where any > correlation to whether a packet is wanted and whether it's > rejected seems coincidental at best? One that at least > entertains the possibility of doing something about denial of > service attacks? And, last but not least, one that allows > reasonable protocols, carrying desired communication, to > function without undue breakage? > I've understood that what you have described is the end-goal of end-to-end, opportunistic encryption and authentication ie. IPsec. Once the network can't tell what type of traffic it is, ie. the port numbers (or protocol numbers if IPsec is run in tunnel mode), these network based firewalls will be useless, and hopefully will be turned off. That wouldn't necessarily remedy denial of service attacks though. I think denial of service attacks will always be possible if entities can issue traffic to the network in an unregulated or unidentified manner. An "IPsec" only Internet would provide a disincentive to DoS, as I'd presume that it implies that end-points are uniquely identified, which allows responsibility for these attacks to be attributed. That may not be a world we want to live in though as anonimity in communications can also be a useful privacy feature. In a few respects, DoS attacks and Spam are similar - they rely on or assume near or absolute source anonimity, and very low costs of transmission. If, or hopefully when, any solutions are found to the spam problem, the fundamental methods or techniques may be able to be applied to DoS attacks. Regards, Mark. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf