> From: "Marcus J. Ranum" <mjr @
nfr .
net>
> To: Adam Shostack <adam @
homeport .
org>
>
> > Its nice to see that we'll have some level of security for
> > sessions, in increasing the difficulty of hijacking sessions and
> > forging IP packets for SYN attacks.
>
> Session hijacking and snooping is easily solved at an
> application level. We do it today with SSL and ssh and
> whatnot and it works great. Changing to a secure protocol
> to fix something that applications can do easier, faster,
> and with more appropriate granularity is silly.
Ah, but Marcus, you were just complaining that the applications
weren't secure. Can't have your cake and eat it too! :-)
Unlike you, I'm looking forward to OS ( protocol stack)
level security. That way its not up to the local 90 day
programmer.
I know its not going to solve the whole problem but a ubiquitous,
interoperable, standard set of encryption and authentication
tools wrapped into all platforms has got to be a good thing!
> SYN flooding's another story but I don't think anything can
> really "solve" denial of service. The arithmetic of denial
> of service is the same as terrorism: the good guys can't
> watch all the possible points of attack. Unless the good
> guys become terrorists (or "counter terrorists" is the
> nicer term) they lose.
Can't do it even then. There are too many ports of entry and
too many vulnerabilities on a shared network. Simple things
like broadcasts and traffic levels alone can cause problems
without any internal knowledge. Add a little internal protocol
or application knowledge and its hopeless without strong
communications restrictions...and that kind of negates the
reason for a network. A network, like a free society, depends
on the cooperation of its members for proper functioning.
Gary Flynn
Network Analyst
James Madison University
|
|
