[PLUG] another reason or two why IPv6 rocks
Daniel Pittman
daniel at rimspace.net
Thu Feb 3 06:15:55 UTC 2011
On Mon, Jan 31, 2011 at 09:12, Tim <tim-pdxlug at sentinelchicken.org> wrote:
[...]
>> Didn't you agree that a secret IP was identical to a secret port
>> sequence earlier? I would certainly grant this is no worse than port
>> knocking, but I can't see how it represents any improvement.
>
> I guess you missed the part where I mentioned clients no longer need
> any special client side software or even need to take any additional
> steps to access the service. They merely need to remember a secret
> domain name, which I would estimate is significantly easier than
> installing some special client or even taking the additional step of
> logging into some web page to white list themselves.
Sorry, no, but I wasn't clear about why I don't see this as any better
performing than port knocking. However, on reflection, I would even
grant that claim: the use of a DNS label as the password is easier,
and requires less pre-configuration than port knocking. It is also
much more likely to pass unmolested through the (frequently stupid)
outbound filtering on various vendor networks.
I would suggest, however, that it is actually less secure against
eavesdroppers, since you can observe a well known and structured
protocol, and even automatically scan for data that doesn't follow the
standard distribution of English text to find interesting labels to
consider.
As you note in your thesis, adding additional cryptographic systems,
or an OTP, to the protocol would secure things nicely – but it would
require appropriate client software, at which point the advantage over
other secure protocols is more limited.
*shrug* Overall I don't think my assessment compared to port knocking
has been changed, but the reasons have. I appreciate your taking the
time to talk it over for that reason. :)
[...]
>> Sure. OTOH, it remains secure, just unavailable, and frankly: if
>> someone wants to DoS your system the infrastructure to do that is
>> pretty readily available and inexpensive. The attacker almost
>> certainly can manage even without something like this attack.
>
> Maybe. Content distribution networks today do a pretty darned good
> job of mitigating attacks using lots of network tricks, though it
> seems to require throwing a lot of hardware at the problem.
*nod* I certainly don't deny it, and I don't think this is an excuse
to just throw up hands and give up. I just think that it limits the
degree to which we should worry about DoS issues compared to other
attacks.
Regards,
Daniel
--
⎋ Puppet Labs Developer – http://puppetlabs.com
✉ Daniel Pittman <daniel at rimspace.net>
✆ Contact me via gtalk, email, or phone: +1 (503) 893-2285
♲ Made with 100 percent post-consumer electrons
More information about the PLUG
mailing list