[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Protection of port 500
> Isn't this approach just looking for trouble?
Not really...
> Can applications be trusted to protect themselves from, let's say, from DoS
> attacks?
I used the phrase "trusted applications" in the almost MLS-sense of the
word. If you RTM on Solaris, you'll note that bypassing node-wide policy can
only be done by root privileged apps. You shouldn't grant such a privilege
willy-nilly, which I believe is your point.
BTW, you can never _fully_ extinguish Denial-of-Service. There's a paper
co-authored by a contributor to this list and WG that explains this. All you
can do is reduce the risk to an acceptable level. (What's the difference
between DoS and a very busy day of legitimate use?)
> I'd want at least the option of some lower layer policy enforcement (ACLs,
> filters, etc.) in additon to whatever the app layer provides.
For such paranoia, a good implementation should allow that. We allow
node-wide policy to disallow even the root-restricted bypass privilege we
normally allow. We do not default to that, so that we can make our IKE
daemon do per-socket bypass, as well as allow future versions of diagnostic
tools (e.g. traceroute) to potentially bypass policy on a per-invocation
basis.
Dan
Follow-Ups:
References: