North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: [arin-announce] IPv4 Address Space (fwd)

  • From: matt
  • Date: Wed Oct 29 17:25:12 2003

> 
> In a message written on Wed, Oct 29, 2003 at 02:24:54PM -0600, Kuhtz, Chris=
> tian wrote:
> > Isn't that the whole point of running a VPN connection?
> 
> Yes.  What I'm saying is network operators are slowly forcing
> everyone to run _everything_ over a VPN like service.  That's fine,
> but it makes network operators unable to act on the traffic at the
> same level they can today.
> 
>        Leo Bicknell - [email protected] - CCIE 3440
>         PGP keys at http://www.ufp.org/~bicknell/

I think the other point that may be escaping some people,
is that as more and more connections take on this VPN-like
quality, as network operators we lose any visibility into
the validity of the traffic itself.  
Imagine how much more painful SQL Slammer would have been, 
if all the traffic was encapsulated in port 80 between 
sites, and only hit port 1434 locally?
We'd suddenly be unable to quickly filter out the worm
traffic, and would instead see only that our port 80 traffic
was now eating our network alive--and we certainly couldn't
get away with filtering that out.  We'd have no choice but
to build our networks large enough to handle the largest
sized worm outbreak, as we'd have no option but to carry
the traffic blindly from end to end, having no way to
even begin to consider how to differentiate valid traffic
from invalid traffic.

At least today, we can decide that 92 byte ICMP echo-request
packets are invalid, and drop them; or that for the most part,
packets destined to port 1434 should be discarded as quickly
as possible.  If everything, include worm outbreaks, gets
tunneled on port 80, get ready to loosen the purse strings,
because there's no alternative other than add more capacity.

If I were more of a conspiracy theorist, I might think
that the router vendors and long-haul fiber providers
might be rubbing their hands gleefuly in the background,
funnelling dollars into the VPN marketplace to fund
more and more products that do exactly that...it would
certainly be one way to ensure that the demand for
larger pipes and faster routers stays high for the
next decade or so, until OS vendors learn to secure
their software better.  ^_^;;

Matt
happy to still be able to block IPs/ports at his own
discretion