Arguing against using public IP space
Owen DeLong
owen at delong.com
Tue Nov 15 21:45:11 UTC 2011
Sent from my iPad
On Nov 15, 2011, at 4:10 PM, Jay Ashworth <jra at baylink.com> wrote:
> ----- Original Message -----
>> From: "Owen DeLong" <owen at delong.com>
>
>> If your firewall is not working, it should not be passing packets.
>
> Yes; your arguments all seem to depend on that property being true.
>
> But we call it a *failure* for a reason, Owen.
If your firewall has failed to such an extent, all bets are off about what it does or does not pas regardless of whether or not it mutilates the headers.
>
> What the probability is of a firewall failing in such a fashion as to *stop
> filtering, but still pass packets* depends -- as you have pointed out --
> entirely on its design.
>
> As *I* have pointed out, not all firewalls are created equal, and there are
> a helluva a lot of them out there for which this desirable property *simply
> is not true*.
Then I would, by definition call them routers, not firewalls.
>
> Sticking your head in the sand on this point is not especially productive.
I'm not sticking my head in the sand about anything. I am pointing out that mutilating the packet header only reduces security. It does not improve it.
Owen
More information about the NANOG
mailing list