[e2e] Fwd: Camel's nose in the tent

Simon Josefsson simon at josefsson.org
Thu Aug 16 11:40:34 PDT 2001


"David G. Andersen" <dga at lcs.mit.edu> writes:

>> E.g. the firewall rule would say "stop all packets for HTTP/TCP to
>> www.example.com" and the firewall would use SRVs, compared with the
>> traditional "stop all packets for port 80 to www.example.com".
>
>   Firewalls have to trade off speed with functionality.  If the
> firewall has to cache SRV responses, or worse yet, has to 
> initiate a SRV response in response to seeing a packet go through,
> the firewall is opening itself up to a terrible denial of
> service attack, or at least, potentially increasing the latency
> of packets going through it hugely, or dropping those packets
> outright.

Yes, I agree, but my point is that if you would try to use SRV records
as a scheme to circumvent stupid firewall rules, it's not unlikely
that some firewall manufacturer would implement SRV filtering support
and market it as a feature.




More information about the end2end-interest mailing list