Arguing against using public IP space

• Previous message (by thread): Arguing against using public IP space
• Next message (by thread): Arguing against using public IP space
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sent from my iPad

On Nov 15, 2011, at 4:10 PM, Jay Ashworth <jra at baylink.com> wrote:

> ----- Original Message -----
>> From: "Owen DeLong" <owen at delong.com>
> 
>> If your firewall is not working, it should not be passing packets.
> 
> Yes; your arguments all seem to depend on that property being true.
> 
> But we call it a *failure* for a reason, Owen.  

If your firewall has failed to such an extent, all bets are off about what it does or does not pas regardless of whether or not it mutilates the headers.

> 
> What the probability is of a firewall failing in such a fashion as to *stop
> filtering, but still pass packets* depends -- as you have pointed out -- 
> entirely on its design.
> 
> As *I* have pointed out, not all firewalls are created equal, and there are
> a helluva a lot of them out there for which this desirable property *simply
> is not true*.

Then I would, by definition call them routers, not firewalls.

> 
> Sticking your head in the sand on this point is not especially productive.

I'm not sticking my head in the sand about anything. I am pointing out that mutilating the packet header only reduces security. It does not improve it.

Owen

• Previous message (by thread): Arguing against using public IP space
• Next message (by thread): Arguing against using public IP space
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]