> My point here is that the principal objection being raised to NAT, the limitation on network connectivity is precisely the reason why it is beneficial. > > There is no other device that can provide me with a lightweight firewall for $50. other reponses gave you some good news. > Same can be said of IPv6. > > We have a lot of really good ways of avoiding issues we don't like: complexity, accessibility, limited access in third world countries. > > Unless the arguments are applied consistently they should not be made at all. Otherwise they just become special pleading. well, you can say this for IPv4, or operating systems which does not have enough history. for the record, KAME group found a bug in IPv4 options handling, rooted in Net/1 timeframe, in year 2000. so i use operating systems which has its roots in 1970s only :-P http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_input.c revision 1.132 > As I told Bruce Schneier after his silly IPSEC and Certification Authority papers, security is risk control, not risk elimination. > > It is not helpful to criticise a security measure that empirically offers a high degree of security for failing to address cases it is not designed to deal with. An HTTP server behind a NAT box is no HTTP server and thus no threat. > > In a full default deny infrastructure I can allow the HTTP server external access and deal with issues such as HTTP server corruption by requiring the HTTP server to run in an isolated O/S partition so that compromise of the server cannot lead to compromise of the host. i can understand your point about "security is risk control". we trust 16-digit credit cards as credit card companies have $$$ insurance in the back. ATM machines and credit card CAT systems use stone age technology called MODEM, so wiretapping them should be less than trivial for those who read the "2600 magazine". however, we are internet engineers, aren't we? we are not forced to use modems, and even if we use modems, we put IP layer on top. do check Steve Deering's "hour glass" presentation if you missed it. http://www3.ietf.org/proceedings/01aug/slides/plenary-1/index.htm and, not to offend Verisign or anything, and really a off topic, but i still believe PKI and other tree-based authentication technology does not scale enough. since we need to install keys for famous certificate authorities into the browsers, it became more difficult for small free software people to implement/distribute HTTPS capable browsers without hitting the problem "we do not have CA key for Amazon.com". > I can shut down 95% of existing botnets using reverse firewalls. I have yet to find a legitimate network use with an access pattern that remotely resembles the access patern of a production botnet. > > The approach I propose in the dotCrime Manifesto is that by default the newtork access point throttles outgoing SYN and DNS requests to some large number that is well short of the needs of spammers, DDoS SYN flooding etc. so you install both forward and reverse firewalls, then what kind of communication would you permit? :-P > > OSes have to be secured by default, that's all. > > Linux is ten million odd lines of code. When you have more than a million lines of code you can be certain that at least 50% of the people working on it were below average in talent. Vista is ten times bigger. > > We simply don't know how to build a secure operating system today. well, you are using OSes which are not in AT&T UNIX family tree so you are in the wrong world. sorry Microsoft guys, i do try hard not to offend you :-P http://www.freebsd.org/cgi/cvsweb.cgi/src/share/misc/bsd-family-tree > The 'security through obscurity' argument is bogus. > > Back in the early 1990s people were arguing AGAINST the use of shaddow passwords in UNIX on the grounds that they give a 'false sense of security'. > > I agree that most enterprises have an exagerated idea of what perimeter security can do for them, but that does not mean that the solution is to drop all the firewalls. That is not what is being discussed when people are talking about deperimeterization. funny that you say "obscurity". i would say that NAT is the obscurity device. if you are in Linux camp you know that RMS does not use password at all. but i'm in OpenBSD camp so i randomize/encrypt every single bit of information i use, even process IDs are random. i do not trust MD5 password. i use Blowfish-based password developed by Niels Provos. i think i am more paranoid than most of Verisign guys, modulo those who are managing the root CA key in the secret vault in a data center which i cannot guess the location. http://www.usenix.org/events/usenix99/provos.html > There is no individual security control that cannot be trumped. Host based security can be disabled if the host is compromised. We don't yet have the trustworthy systems we need to prevent that attack. > > There is no individual security control that cannot be trumped, but we can deploy combinations of security controls that make it very much harder for an attacker to succeed. if you install secure OSes to the end clients, you do not have to worry about the infection by worms almost forever. you just need to adjust youself to use MagicPoint instead of PowerPoint, and use vi/roff/TeX instead of MS Word. itojun _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf