[53000] in North American Network Operators' Group
Re: How to secure the Internet in three easy steps
daemon@ATHENA.MIT.EDU (Sean Donelan)
Fri Oct 25 14:58:17 2002
Date: Fri, 25 Oct 2002 14:57:23 -0400 (EDT)
From: Sean Donelan <sean@donelan.com>
To: Paul Vixie <vixie@vix.com>
Cc: nanog@merit.edu
In-Reply-To: <g3k7k64cd8.fsf@as.vix.com>
Errors-To: owner-nanog-outgoing@merit.edu
On 25 Oct 2002, Paul Vixie wrote:
> > 1. Require all providers install and manage firewalls on all subscriber
> > connections enforcing source address validation.
>
> i can see how the end to end principle applies in cases 2 and 3, but not 1.
I didn't make any of these up. They've all been proposed by serious,
well-meaning people.
If you have 2 and 3, why do you need to waste global addresses on 1. So
the NSP managed "firewall" device is really a super-NAT device, which
some well-meaning people believe NAT improves security becauses users
won't be able to set the outbound addresses themselves. The firewall will
rewrite the user's hidden internal address with the firewall's registered
address.
Its a mis-understanding of what source address validation is. Some folks
think it should work like ANI, where the telephone company writes the
"correct" number on the call at the switch.
