[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: apps people?



On Mon, 11 Aug 2003 22:03:36 -0700
"Tony Hain" <alh-ietf@tndh.net> wrote:

> Pekka Savola wrote:
> > Why exactly is advertising the aggregate a problem?  The 
> > nodes will filter 
> > out those sources they are auto-configured not to speak to 
> > before even 
> > seeing any maliscious packets.
> 
> You clearly trust your filter configuration manager. Not everyone does, and
> there is ample 'operational failure from typo' evidence to back up their
> mistrust.
> 
> The point is that if there is no route, there is nothing that will need to
> be filtered. 

True, but in my experience in a large, multi-departmental govenment network, is it fairly common that end user security / access requirements don't fall neatly along route / prefix boundaries. Typically this is because security has crept into the network, triggered by attachement to the Internet.

In government networks, route filtering is a useful tool to have, but mostly it is a "nice to use", because it is too blunt to facilitate the security / access requirements of the end users. 

Typically, the order of use of available network / transport layer security tools to meet common end-user requirements is :

(1) "application" level - ie. filter on TCP / UDP ports, possibly in combination with IPv4 source and / or destination address.
(2) network layer - filter IPv4 source and / or destination IPv4 adress.
(3) route filtering

Service providers, OTOH, protect their end-users by protecting the network itself. Route filtering is one of the primary tools for doing that, so (3) on my enterprise list is one of the (1)s on the service provider list.

Since IPv6 prefixes are going to be mapped along the same boundaries as IPv4 prefixes ie., layer 2 broadcast domains, IPv6 route filtering in an government network will be just as dull a tool as it is in IPv4. 

The security paranoid will both remove routes, and install
> filters, on the belief that failures will not occur in both at the same
> time. Despite the noise about not providing security, these are two
> mechanisms used in basic layered security models.
> 

The security paranoid, at least in an government environment, would *like* to perform route filtering as part of a defense in depth strategy in addition to filtering, but end-user access requirements usually put an end to that idea.

Regards,
Mark.
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page:                      http://playground.sun.com/ipng
FTP archive:                      ftp://playground.sun.com/pub/ipng
Direct all administrative requests to majordomo@sunroof.eng.sun.com
--------------------------------------------------------------------