IAB concerns against permanent deployment of edge-based filtering
Eliot Lear
lear at cisco.com
Sat Oct 18 20:34:24 UTC 2003
Valdis hits the nail on the head. And this boils down to something that
I believe is attributable to someone commenting on the old FSP protocol,
perhaps Erik Fair:
The Internet routes around damage.
Damage can take the form of a broken link, or it can take the form of an
access-list. In the early '90s, NASA attempted to protect its links
from "unauthorized use" (which in this particular case was porn). That
caused a whole protocol to be developed (proving the old adage). Well,
nowadays you don't even need to build a whole protocol- you can just use
HTTP.
And that was the point of Keith's & Ned's RFC on HTTP as a substrate.
Excessive restrictions in firewalls bring about this use, and that makes
the HTTP implementations fairly complex, and it will subvert the
intentions of network administrators.
So as a temporary measure during an active attack, access-lists make
sense. Over the long haul, however, unless you're going to block
downstream TCP packets with SYN only and ALL OTHER TRAFFIC, IP can run
on just about anything.
Eliot
Valdis.Kletnieks at vt.edu wrote:
> On Sat, 18 Oct 2003 11:14:42 PDT, bmanning at karoshi.com said:
>
>
>>>>There is a real danger that long-term continued blocking will lead
>>>>to "everything on one port"
>>
>> fair amount of handwaving there.
>
>
> Question: Why was RFC3093 published? (Think(*) for a bit here...)
>
> About a month later, there was a *major* flame-fest on the IETF list due to
> this message:
>
> http://www.ietf.org/mail-archive/ietf/Current/msg11918.html
>
> Yes, the basic reason for this proposal was because many firewalls will pass HTTP
> but not BEEP.
>
> What major P2P applications have included a "run over port 80" option to let
> themselves through firewalls?
>
> It's not just handwaving.
>
> (*) Remember - satire isn't funny if it isn't about something recognizable...
More information about the NANOG
mailing list