[e2e] Fwd: Camel's nose in the tent
David G. Andersen
dga at lcs.mit.edu
Tue Aug 14 12:40:09 PDT 2001
Simon Josefsson just mooed:
>
> Wouldn't it be easy for a firewall to use SRV records as well then?
Not really.
> E.g. the firewall rule would say "stop all packets for HTTP/TCP to
> www.example.com" and the firewall would use SRVs, compared with the
> traditional "stop all packets for port 80 to www.example.com".
Firewalls have to trade off speed with functionality. If the
firewall has to cache SRV responses, or worse yet, has to
initiate a SRV response in response to seeing a packet go through,
the firewall is opening itself up to a terrible denial of
service attack, or at least, potentially increasing the latency
of packets going through it hugely, or dropping those packets
outright.
-Dave
More information about the end2end-interest
mailing list