|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: IAB concerns against permanent deployment of edge-based filtering
Valdis hits the nail on the head. And this boils down to something that I believe is attributable to someone commenting on the old FSP protocol, perhaps Erik Fair: The Internet routes around damage. Damage can take the form of a broken link, or it can take the form of an access-list. In the early '90s, NASA attempted to protect its links from "unauthorized use" (which in this particular case was porn). That caused a whole protocol to be developed (proving the old adage). Well, nowadays you don't even need to build a whole protocol- you can just use HTTP. And that was the point of Keith's & Ned's RFC on HTTP as a substrate. Excessive restrictions in firewalls bring about this use, and that makes the HTTP implementations fairly complex, and it will subvert the intentions of network administrators. So as a temporary measure during an active attack, access-lists make sense. Over the long haul, however, unless you're going to block downstream TCP packets with SYN only and ALL OTHER TRAFFIC, IP can run on just about anything. Eliot [email protected] wrote: On Sat, 18 Oct 2003 11:14:42 PDT, [email protected] said:There is a real danger that long-term continued blocking will lead to "everything on one port"fair amount of handwaving there.Question: Why was RFC3093 published? (Think(*) for a bit here...) About a month later, there was a *major* flame-fest on the IETF list due to this message: http://www.ietf.org/mail-archive/ietf/Current/msg11918.html Yes, the basic reason for this proposal was because many firewalls will pass HTTP but not BEEP. What major P2P applications have included a "run over port 80" option to let themselves through firewalls? It's not just handwaving. (*) Remember - satire isn't funny if it isn't about something recognizable...
|