While it's fun to watch people talking at cross purposes, I think the
basic principle is clear: Resource exhaustion must not cause a packet
to be passed (or a proxy to be established) that would not be passed
with adequate resources. Any firewall where that is not clear, by
brief inspection of the design, is one I would not wish to run.
That means that a logging failure, for example, must not lead to a hole -
but we count on that every time we forward syslog via UDP, anyway.
Unless the tester has comprehensive knowledge of the hardware and software,
testing will not exercise the exhaustion of *every* relevant resource, nor
every combination of resource exhaustions - and I'm not sure such knowledge
is possible even in theory.
That said, it would nevertheless be comforting to see real tests at
design loads and well beyond. In the hypothetical example of a bank
clearing system, the necessary human and technical resources for such a
test could surely be made available, and no sane banker would trust a
vendor's mere claim.
Barney Wolff <barney @