> On Aug 26, 2018, at 2:55 PM, Toerless Eckert <[email protected]> wrote:
>
> On Sun, Aug 26, 2018 at 11:38:57AM -0700, Joe Touch wrote:
>> NATs already have what they need to do the proper job - they need to
>> reassemble and defragment using unique IDs (or cache the first fragment when
>> it arrives and use it as context for later - or earlier cached - fragments).
>> There???s no rule that IP packets that are fragmented MUST have a transport
>> header both visible (not encrypted) and immediately following the IP header.
>
> Reassmbly/refragment and MTU discovery puts NAT out of the realm of many
> cost effective HW acceleration methods. Simple address rewrite does not.
And crumple zones and airbags get in the way of cars running fast and being
inexpensive.
I.e., you’re right - doing NATs properly is more expensive than lying that you
have a functioning NAT that doesn’t.
>> Firewalls are just delusions; [1]
>> the context they think they???re enforcing has no meaning except at the
>> endpoints; it never did. [2]
>
> I completely agree with [2], but my conclusion is not [1], but
> rathat its highly valuable and necessary.
Good. Continue to run them and tell your customers that they actually stop
email when they block ports 23 and 110, etc.
The rest of us then will tunnel one port over another (VPN) and walk right
through that device (like we all dll all the time in hotels).
> The ability of firewalls to open 5-tuple bidirectional pinholes because
> of trigger traffic from the inside is IMHO the most important feature
> to keep Internet hosts protected.
A firewall hsa to be close enough to the endpoint to act as its proxy; at that
point, provided it does act as its proxy, then that sort of 5-tuple filtering
works fine. You’re offloading work of the host elsewhere - but that firewall
needs to act as a true host proxy, which includes reassembly, or it won’t work
properly (nor can it ever).
> I wish host stacks would be built securely,
> but after a few decdaces i have given up on that for most hosts. Which is
> why its so irritating when host stack pundits continue telling network device
> stack builders what they should and should not do.
No argument there - but again, pushing the work of that host to another device
MAKES THAT DEVICE A HOST.
Hosts receiving packets reassemble. Period. Or they won’t work. Period. And
those that don’t, don’t work.
> Firewalls inspecting unencrypted higher layer message elements where a fairly
> well working security model based on having a separate security administration
> from the application administration.
No better, FWIW, than would be managed software inside the end system. There’s
no strict rule these need to be separate devices, but - as per above - they
work fine when they act as they actually need to.
> Now the applications promise to
> provide all the security themselves, but they primarily just prohibit
> visibility
> of what they do, so its a lot harder to figure out when they are insecure.
>
> Would you ever put all type of in-home "iot" gear thats not a Windows/MacOS
> system with a GUI you can control on the Internet without a firewall ?
Without firewall functions somewhere? No - I agree. But I also wouldn’t put
that firewall inside the network where it couldn’t see the fragments to
reassemble - because it will never work properly.
I.e., I agree that “it hurts when we do that”, but not that we have to do it
the wrong way (even though it’s cheaper).
Joe
_______________________________________________
Int-area mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/int-area
