tech-net: Re: Usability enhancement for IP6

Subject: Re: Usability enhancement for IP6
To: None <is@NetBSD.org, smb@cs.columbia.edu>
From: List Mail User <track@Plectere.com>
List: tech-net
Date: 02/08/2005 13:01:20
>From bounces-tech-net-owner-track=Plectere.com@NetBSD.org Tue Feb  8 12:06:12 2005
>X-Original-To: tech-net@NetBSD.org
>Delivered-To: tech-net@NetBSD.org
>...
>From: "Steven M. Bellovin" <smb@cs.columbia.edu>
>To: Ignatios Souvatzis <is@NetBSD.org>
>Cc: tech-net@NetBSD.org
>Subject: Re: Usability enhancement for IP6 
>In-Reply-To: Your message of "Tue, 08 Feb 2005 20:48:35 +0100."
>             <20050208194835.GB27486@beverly.kleinbus.org> 
>Mime-Version: 1.0
>Content-Type: text/plain; charset=us-ascii
>Date: Tue, 08 Feb 2005 15:04:41 -0500
>Sender: tech-net-owner@NetBSD.org
>Precedence: list
>
>In message <20050208194835.GB27486@beverly.kleinbus.org>, Ignatios Souvatzis wr
>ites:
>>
>>--hHWLQfXTYDoKhP50
>>Content-Type: text/plain; charset=us-ascii
>>Content-Disposition: inline
>>Content-Transfer-Encoding: quoted-printable
>>
>>Hi,
>>
>>Bryan Phillippe wrote:
>>
>>> We should probably make an analogous change to tcp4 as well.  As someone
>>> else pointed out, some firewalls (including the one I wrote for my
>>> employer's network device) can return "administratively prohibited" for
>>> blocked services.
>>
>>"can return"?=20
>>
>>What, if not this condition, would "administratively prohibited" be used=20
>>for?
>>
>
>Some firewalls simply silently drop the packets, without returning 
>anything.
>
>		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
>
>
	Other times it is appropriate to return other codes like "filter
prohibited" or "host prohibited".  For unsupported services, "port unreachable"
may be a better choice.  And for some (admittedly extreme) cases, I `forge'
an initial SYN-ACK in the firewall, then use "administratively prohibited"
for any further packets on that connection (slows *many* hacking attempts
to a crawl).  Also, if you are using IPF, you should decide whether to use
"return-icmp" or if using "return-icmp-as-dest" is more appropriate for each
case (i.e. do you want it to appear that the firewall or the target machine
itself is doing the denial).

	Whatever you do, dropping the packets for "ident" requests will slow
mail delivery to nearly a halt and (at least for TCP connections) for this
case and a few others, IPF's "return-rst" is the best choice.

	Good luck,

	Paul Shupak
	track@plectere.com