mailing list archives
RE: on-the-fly-analysis vs. proxy rewrites
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Thu, 09 Feb 2006 12:06:47 -0500
You keep using SMTP as an example but that is such a small bunch of
Well, it -was- small, but now it's not. The standards pukes keep bolting
new curb-feelers and shag carpet and mirror disco balls onto it, too...
Last year I recall I was poking fun at Wietse Venema about the fact
that postfix now has more lines of code in it than sendmail (!!)
17362 lines: sendmail 4.6 (1991) from net2 tape
299545 lines: postfix-2.2.2 (current release)
220263 lines: sendmail-8.13.4 (current release)
(See: http://www.ranum.com/security/computer_security/archives/issa-minneapolis-2005.pdf )
and Wietse pointed out that he tracks the wads of code bloat against
the RFCs that trigger them, and the cost of complying with standards
is measurable and large.
I'll also note that in 1991 Steve Bellovin used to call sendmail
"sendwhale" because he felt that at 17,000+ lines of code it was
too bloated to have its security properties understood. ;) I know
Wietse feels postfix is OK in spite of the bloat because he designed
the system so that the volume of trusted code has not grown
in comparison the the volume of un-trusted code. My hat's off to
Wieste - but the standards pukes get a big raspberry from Marcus:
if SMTP worked in 1991 they should have left it the hell alone
and gone back to making IPV6 too bloated to use instead.
Of course my response to that is "why comply with standards?" A boundary
device SHOULD NOT BE 100% STANDARDS COMPLIANT because the
Ahem, excuse me for shouting, there. But this particular topic makes me
want to scream every time I think about it. Consider the FTP RFC. The
FTP RFC *requires* that an FTP server be capable of carrying out FTP
bounce attacks and scans. Well, OK, I just looked at the FTP RFC and
the standards pukes have apparently hammered TLS into it "to secure
it" and my brain shut off when I saw the magic phrase "firewall-friendly"
and I could read no further. Perhaps FTP has gotten better. Who wants
So, the fact that SMTP is a "small bunch of RFCs" is not the issue; the
issue is that SMTP is already off the chart of suckage and rocketing
toward the stratosphere of suck. Don't get me started on HTTP...
What about trying to deal with http which has almost no bounds?
Ah, I thought I told you not to get me started on HTTP... ;)
There are two many possible uri's.
That's putting it far more mildly than I would. So let's leave it at that.
All of the proxies I've looked (and that's
not many) do very little in the way of breaking down the uri and
handling those various subcomponents (such as java script, activex,
dll's even). It's usually block all java script (useless) or let it all
through (worse than useless).
Yes, the current state of the art can best be summarized as
"horrible and getting worse"
And what do you do when there are hundreds of nasty DLL's in paths and
hundreds of good ones. I mean, where do you start?
Only a really stupid stupid operating system would use DLLs. I mean,
think about it - the whole notion of a stable "release level" completely
goes down the toilet when you imagine a runtime environment where
major subcomponents of a program can be altered between invocations
without the program's having any idea that it happened. Surely nobody
would actually implement such a bad idea? Oh, um, wait...
And with all the other demands placed upon my valuable time and
resource, how on earth could someone possibly be expected to parse and
control every nuance within the realm of http? What about parsing the
query? What's safe? What's not?
You can't. It's achieved "critical mass of suck" - and thanks to
backwards, forwards, and sideways compatibility, it will get
worse and worse until finally the suck gets so severe that
it bends light and gravity and consumes everything. Oh, wait,
that happened when content chunk encoding was invented.
Does anyone know what the hell motivated that particular
piece of braindamage? Was some twit trying to do TCP over
an existing TCP stream?
I feel that the horse has already bolted on that one.
The horse didn't bolt, he walked out rather leisurely, then caught
a cruise ship to Brazil, changed his name, and cashed in his
stock options for a bunch of flashy mares and a lot of carrots.
All I can say is "hey, I didn't break it, stop asking me to fix it."
In the immortal words of Lord John Worfin: "S'notta my problem, monkey-boy."
firewall-wizards mailing list
firewall-wizards () honor icsalabs com