Firewall Wizards: Re: A fun smackdown...

[Chuck Swiger <chuck () codefab com>]

On May 20, 2005, at 10:02 PM, Marcus J. Ranum wrote:
> > > How about excessive ICMP filtering breaking path MTU discovery?
> Another perfect example of a bunch of egg-heads in the IETF
> coming up with a mechanism for doing something that
> completely ignored existing implementations of security
> systems - and breaks as a result. The PMTU discovery
> mechanism, using ICMP, was moronic design from the get-go.
I could care less whether a firewall breaks PMTU discovery to someone's 
accounting machine or to the control and monitoring systems at the 
local power planet, because I and other legitimate users are never 
going to talk to such systems, and because such machines very probably 
should not be Internet-routable to begin with.
By definition, the IETF is concerned with systems which interoperate 
over public networks using network-wide conventions and publicly 
documented standards.  What people do with private machines or private 
networks is up to them, at least so long as they *don't* connect those 
machines to the Internet.  However, when someone publishes an MX 
record, or sets up www.company.com in the DNS, they are choosing to 
interact with the rest of the Internet.
A firewall which breaks ESMTP, or HTTP/1.1, or PMTUD to such machines 
(typically in a DMZ) significantly impacts legitimate access with 
questionable gains at best for security, and IMHO is a poor tradeoff.  
You shouldn't be putting the crown jewels on a DMZ host to begin with.
And as for PMTUD, I'd be happy to see a better solution for MTU 
discovery, short of depending on all intermediate routers to handle IP 
fragmentation in an efficient and sane fashion.  Do you have something 
better, Marcus...?
--
-Chuck

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards