On Thu, 30 Dec 2004 17:42:44 -0800 "David Schwartz" <[EMAIL PROTECTED]> wrote:
> I, for one, do not agree. End hosts and firewalls *should* reject > all traffic they don't understand. It's precisely to prevent our > unintentional participation (as end hosts) in such 'experiments' that > we deploy such filters. The problem is when the policies are not > maintained (or are [...] If everyone actually did that, it would make upgrades to lots of things very interesting. We'd have to rely on the initial design and implementation being close to or at perfection for now and long into the future. If you do not upgrade or configure your systems to understand the new use of previously reserved bits then in the typical case you would silently ignore those bits and things would just continue to work in the way you were used to. Most people designing ways to make use of reserved bits in Internet protocols these days I think understand backwards compatibility is often a requirement. I think you may be fearful that the use of reserved bits introduces a new security risk, because of something a system may do in response to the use of those new fields. That is a very legitimate concern and a very real potential risk. I guess in my view of the world, in practical terms, we're not likely to see an experimental protocol start getting widely deployed and then suddenly discover that we have a major security threat on our hands that we cannot easily fix before it brings the net to a complete halt. At least not since the publication of RFC 793. :-) I think the concept of reserved fields is a relatively well accepted practice in computing by now. Security is important, but we cannot allow security concerns to completely halt progress. It just may be in the interest of security to allow this kind of experimentation to occur. > IMO, it's negligent to configure a firewall to pass traffic > whose meaning is not known. That means no end host to end host encryption that the network firewall cannot understand. ...and for anyone else who likes to block unknown bits, then don't let me see or hear you complain about how the net sucks, because you are not letting it evolve so that it can be fixed. :-) John