[e2e] What if there were no well known numbers?

John Kristoff jtk at northwestern.edu
Thu Aug 3 07:51:11 PDT 2006


On Wed, 02 Aug 2006 22:39:27 -0400
"David P. Reed" <dpreed at reed.com> wrote:

[...]
> In fact, blocking ports achieves no security to speak of.   But you'd
> be threatening to expose the Emperor's nakedness with this proposal.

The thread immediately went to a place I wasn't expecting and actually
had not intended it to go.  I think the basic premise that filtering
by magic numbers, be they ports, protocols or even some pattern match
is an effort in futility and a large number of people believe that
(though certainly not all).  Though this does raise another point I had
originally wanted to raise.  What if, well known numbers and even the
protocol semantics themselves, at least those that traditionally matter
on an end-to-end basis, were used in unexpected ways?  So for example,
what if I start setting up systems in which TCP is IP protocol 17 or I
rewrite my TCP stacks so that window is effectively hard coded to
infinity and ACKs are only used to pander to the middle boxes that want
to see them?  It might not be very nice, but what protocol police are
going to stop me from doing this?  I think the exposure of nakedness
you described would likely be the outcome again if these sorts of things
ever got off the ground in any significant way.

> > In short, couldn't this, wouldn't this, lead to a rapid rise in DNS-
> > based walled gardens (or if you prefer the quick and steady rise of
> > a fractured root, eventual modus operandi) as everyone moves to
> > replace their udp/tcp packet manglers with RR-scrubbers?

So I'd like to try to highlight the specific point on the use of DNS
that I was trying to make.  I had taken a quick look for previous
discussion on this (sorry, always bad form to do that _after_ a post)
and realized I forgot about Joe Touch's draft-touch-tcp-portnames.
He already mentions the challenge of autonomy with SRV records.  It
certainly seems like the widespread use of SRV records could well be
the sort of fundamental change end2end lovers would fear most.  Or
maybe I'm just here to stir up some noise on the otherwise unusually
quiet end2end list?  :-)

John


More information about the end2end-interest mailing list