[e2e] security through obscurity *does* work - keep an open mind...
David P. Reed
dpreed at reed.com
Mon Feb 13 19:09:28 PST 2006
Scott Boone wrote:
> my slogan-related concern did not have anything to do with how secure
> the identification of the host itself was. my remark had more to do
> with the following issue:
> 1) something somewhere (edge routers, NAT boxes) has to have globally
> reachable addresses. these are still attackable. hiding some IDs
> doesn't hide all IDs, and is of limited utility. it is unclear to me
> how much you will gain by obfuscating a host's IP; my understanding
> (mostly obtained from a skimming the occasional NANOG and CAIDA
> presentation) is that serious DDoS attacks tend to impact edge
> routers and links.
Jon Crowcroft is focused on reducing the ability to do DDoS by making it
hard to construct "botnets" that can act in concert on a sufficiently
large scale to pose danger to large targets. This has nothing to do
with global reachability of targets, or where the targets are. It's
probably impossible to obscure the targets, anyway - the key thing about
targets is that they must be reachable in order to be useful in their
day jobs (when not being targets), since many of the most important
targets must *by definition* be well-known and globally reachable by
many. Since slowing access or limiting reachability denies service in
and of itself, it's probably not a good solution to a DDoS risk to
self-impose denial of service to one's customers.
I apologize for including additional tangential comments regarding
reasoning by slogans. However, nothing you've said bears on my main
point. It is true that "security by obscurity" is too vague a phrase
to reason with, and thus really should be avoided if one is attempting
to come to a valid conclusion based on careful, rational
argumentation. As I began my argument: the whole value of cryptography
is tied precisely to the construction of obscurity - hiding information
that in principle can be recovered, but at a cost that is thought to be
prohibitive. What creates weakness is "security through limited opacity
easily removed", not "security through 'provably costly to invert'
obscurity". Since both are within the scope of meaning of the term
"obscurity", the use of the phrase "security through obscurity"
contributes nothing substantial to the discussion. Quantitative
reasoning is required, as well as valid assumptions about knowledge
available to the participants through side channels (again depending on
ignorance, aka obscurity).
More information about the end2end-interest