[e2e] Fwd: Camel's nose in the tent
Simon Josefsson
simon at josefsson.org
Thu Aug 16 11:40:34 PDT 2001
"David G. Andersen" <dga at lcs.mit.edu> writes:
>> E.g. the firewall rule would say "stop all packets for HTTP/TCP to
>> www.example.com" and the firewall would use SRVs, compared with the
>> traditional "stop all packets for port 80 to www.example.com".
>
> Firewalls have to trade off speed with functionality. If the
> firewall has to cache SRV responses, or worse yet, has to
> initiate a SRV response in response to seeing a packet go through,
> the firewall is opening itself up to a terrible denial of
> service attack, or at least, potentially increasing the latency
> of packets going through it hugely, or dropping those packets
> outright.
Yes, I agree, but my point is that if you would try to use SRV records
as a scheme to circumvent stupid firewall rules, it's not unlikely
that some firewall manufacturer would implement SRV filtering support
and market it as a feature.
More information about the end2end-interest
mailing list