RE: Port numbers and IPv6 (was: I-D ACTION:draft-klensin-iana-reg-policy-00.txt)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





--On fredag, juli 15, 2005 13:11:09 -0700 "Hallam-Baker, Phillip" <pbaker@xxxxxxxxxxxx> wrote:



From: Jeffrey Hutzelman [mailto:jhutz@xxxxxxx]

On Friday, July 15, 2005 11:48:28 AM -0700 "Hallam-Baker, Phillip"
<pbaker@xxxxxxxxxxxx> wrote:

Agree, for the most part.  Fixed port numbers do have some
operational
advantages, though...

They certainly have operational advantages for managers of firewalls
that don't have the ability to perform filtering that is any more
specific.

And this had led protocol designers to run every new protocol over port
80 using the firewall bypass protocol HTTP.


One nice feature of using DNS is that it means that you can perform a
lot of control through the signalling channel alone.

warning... implementing control by denying information (such as not telling the bad guy which port the secured-by-obscurity process is ACTUALLY running on) is not terribly good security. It is certainly reasonable control over people who want to be controlled ("management"), but not very good control over people who do not want to be controlled ("security").

The story that comes to mind is attributed to the Norwegian railroad company, early 1940 (in April 1940, Norway was occupied by Nazi Germany....).

 Head conductor: "And in case of war, how would you deny the enemy the
     use of the railway system?"
 Junior conductor: "Burn all the tickets, SIR!"

Of course, if all protocols (and their implementations) were sufficiently secure themselves, firewalls wouldn't be needed, and the Net would be simpler than it is. But wishing won't make it so....


_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]