[146553] in North American Network Operators' Group
Re: Arguing against using public IP space
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Nov 15 16:51:44 2011
In-Reply-To: <30335127.2913.1321391432299.JavaMail.root@benjamin.baylink.com>
From: Owen DeLong <owen@delong.com>
Date: Tue, 15 Nov 2011 16:45:11 -0500
To: Jay Ashworth <jra@baylink.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Sent from my iPad
On Nov 15, 2011, at 4:10 PM, Jay Ashworth <jra@baylink.com> wrote:
> ----- Original Message -----
>> From: "Owen DeLong" <owen@delong.com>
>=20
>> If your firewall is not working, it should not be passing packets.
>=20
> Yes; your arguments all seem to depend on that property being true.
>=20
> But we call it a *failure* for a reason, Owen. =20
If your firewall has failed to such an extent, all bets are off about what i=
t does or does not pas regardless of whether or not it mutilates the headers=
.
>=20
> What the probability is of a firewall failing in such a fashion as to *sto=
p
> filtering, but still pass packets* depends -- as you have pointed out --=20=
> entirely on its design.
>=20
> As *I* have pointed out, not all firewalls are created equal, and there ar=
e
> a helluva a lot of them out there for which this desirable property *simpl=
y
> is not true*.
Then I would, by definition call them routers, not firewalls.
>=20
> Sticking your head in the sand on this point is not especially productive.=
I'm not sticking my head in the sand about anything. I am pointing out that m=
utilating the packet header only reduces security. It does not improve it.
Owen
