On Fri, Aug 31, 2007 at 08:20:20PM +0100, Gregory Stark wrote:
> Except note that ident is, like X, precisely the kind of protocol where the
> handshake matters least. Since you all the relevant data comes early in the
> message you can fire the SYN and the ACK (with the predicted sequence number)
> with the first data packet off right away.
Well, I certainly wasn't arguing the virtues of ident, in case that's
the impression you've formed.
> They may tend to but would you trust a system that depended entirely on a
> firewall for security?
Of course not. But the point is that, in real data centre use, you
have pretty serious problems if you have been compromised to the
point of people successfully spoofing TCP packets: _someone_ is on
your network. I suppose there are people hanging database servers
directly off the internet, without a stateful firewall in between,
but I don't think those people can really be helped anyway.
> Uhm, no DNS is vulnerable because it isn't authenticated.
Well, sorta. But the spoofing-based DDoS attacks that are currently
so trivial against DNS wouldn't be possible if it used TCP all the
time, or if everyone implemented BCP38.
> Well then lots of people are in a world of hurt. OSes only started adding
> filters like this about 8-9 years ago and there are plenty of people running
> Linux distributions older than this and other operating systems that are
> slower to take up new ideas. In any case there are common misconfigurations
> that defeat these kinds of filters too.
Sure. As I said above, I don't think anyone was suggesting that this
should be a general strategy. It's just one way to do things, if you
know what you're doing.
> happy to run ident on 127.0.0.1. But I would be a lot happier
> running on Unix domain sockets where it doesn't depend on an
> external daemon and ip filters -- just regular kernel credentials.
Right, but you can't use UNIX domain sockets with, say, JDBC.
> Just as an example, say you're running vmware or something like it
> and you're bridging it on to your network. Will your ip filters
> will still kick in for bridged packets? Are you 100.0% sure?
I dunno, but I do know that I'd test it before I started doing it :)
A
--
Andrew Sullivan | ajs@crankycanuck.ca
In the future this spectacle of the middle classes shocking the avant-
garde will probably become the textbook definition of Postmodernism. --Brad Holland
