[76821] in North American Network Operators' Group
Re: Smallest Transit MTU
daemon@ATHENA.MIT.EDU (Robert E.Seastrom)
Fri Dec 31 01:51:31 2004
To: John Kristoff <jtk@northwestern.edu>
Cc: nanog@merit.edu
From: Robert E.Seastrom <rs@seastrom.com>
Date: Fri, 31 Dec 2004 01:51:01 -0500
In-Reply-To: <20041230213101.6425c64e@dsl017-022-068.chi1.dsl.speakeasy.net> (John
Kristoff's message of "Thu, 30 Dec 2004 21:31:01 -0600")
Errors-To: owner-nanog-outgoing@merit.edu
John Kristoff <jtk@northwestern.edu> writes:
> I think you may be fearful that the use of reserved bits introduces
> a new security risk, because of something a system may do in response
> to the use of those new fields. That is a very legitimate concern
> and a very real potential risk. I guess in my view of the world, in
> practical terms, we're not likely to see an experimental protocol
> start getting widely deployed and then suddenly discover that we have
> a major security threat on our hands that we cannot easily fix before
> it brings the net to a complete halt. At least not since the
> publication of RFC 793. :-)
You must not remember how SunOS 4 responded when handed icmp echo
requests with the record-route option set (passed the packet on for
the next guy to enjoy and then promptly paniced).
A deny-all-permit-some firewall that passes through IP options which
are not explicitly needed for the operation of some specific end-node
would qualify for the "unclear on the concept" award.
---Rob
