Date: Wed, 02 Apr 2003 07:14:59 +0100 From: David Pick <d.m.pick@qmul.ac.uk> To: richard childers / kg6hac <fscked@pacbell.net> Cc: security@FreeBSD.ORG Subject: Re: rfc3514 - Security Flag in the IPv4 Header Message-ID: <E190bWV-0009rF-00@xi.css.qmw.ac.uk> In-Reply-To: Your message of "Tue, 01 Apr 2003 14:41:34 -0800." <3E8A159E.382DC088@pacbell.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> Any chance this is an April Fool's joke? The idea is sound and brilliant in concept. > Inquiring minds see a real snakepit involved in applications > setting and honoring a bit that conveys dishonorable > intentions. /-: I think it's unfortunate that someone as well respected as Stephen Bellovin should fall prey to an obvious trap. One might very well think that it really doesn't matter which way a bit gets set (or, to put it another way, whether a zero or one value indicates "Evil"). Taken in isolation this is true; however, as with all "upwards compatible" changes to the Internet protocols, we have to take into account the previous situation. Pre-RFC3514 packets will have this bit set to a value of zero and this includes packets with evil intent. Since we know that *most* packets on the Intenet at the moment are of evil intent we should assume this fact and insist that packets should have this bit set to one to positivly assure us that the packet is *known* to have pure and unsullied motives. After all, in the security world it is recognised that a "default deny" policy is much stronger than a "default accept" policy. -- David Pick
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E190bWV-0009rF-00>