RE: Port numbers and IPv6 (was: I-D ACTION:draft-klensin-iana-reg-policy-00.txt)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


> warning... implementing control by denying information (such 
> as not telling 
> the bad guy which port the secured-by-obscurity process is 
> ACTUALLY running 
> on) is not terribly good security. It is certainly reasonable 
> control over 
> people who want to be controlled ("management"), but not very 
> good control 
> over people who do not want to be controlled ("security").

The same is true of using port numbers to identify protocols. 

People have already figured out that the only protocols that can be
deployed in practice are the ones that run over port 80 using HTTP, the
firewall bypass protocol.

> Of course, if all protocols (and their implementations) were 
> sufficiently 
> secure themselves, firewalls wouldn't be needed, and the Net would be 
> simpler than it is. But wishing won't make it so....

Nothing will give you absolute security. But there are solutions that
will help the process of security management.

Firewalls are a triage device, they block a large proportion of attacks
at the front door. This frees up the security managers to focus on the
most serious threats. But no, firewalls without management don't provide
much security.

If every single protocol developed by the IETF were to be deployed
tommorow it would not have more than a marginal effect on Internet
crime. Nor is this suprising, the types of fraud being performed by
professional Internet criminals were not anticipated twenty years ago.

The only thing that is suprising is that there are still people who
think that the end-to-end security theory is the only acceptable
security approach. This despite the continued failure to deploy systems
designed on that principle or get them used.

Clearly we need a different security approach than hoping that someday
everything can be done at the application ends. 

I think that it is better to look at the way security professionals
secure networks in practice and follow their lead rather than continue
to promote an unproven academic theory.


_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]