Re: [tlug] Ping vs www server

["Stephen J. Turnbull" <stephen@example.com>]

Josh Glover writes:

 > And I'm still not entirely convinced by your standards compliance
 > argument; lots of network hardware no longer uses ICMP for flow
 > control and routing,

And some still does.  The Internet has grown as it has because of its
consensus that standards-based implementations of implementation-
proved standards is the way forward.

The easy thing to do is for me to check that RFC 1122 has not been
obsoleted.  Until it has been obsoleted, you manage rogue hosts by not
supporting ICMP.

 > I mean, we basically need a new Internet, one built on protocols and
 > standards with security baked in from the beginning rather than
 > slathered on top.

This is really not clear.  Microsoft tried to deliver that, and was
resoundingly rebuffed in the market.  Phil Karn and others have been
building more secure networks 12 ways since like 1980, and what's the
uptake on PGP been?  Even as progressive a collection of folks as TLUG
doesn't universally use PGP.  Kerberos, etc, are just now coming into
widespread use as a fundamental part of the networked personal
workstation architecture.  Fascism just doesn't work very well as a
social system.  The Internet, which is as democratic a social system
as exists anywhere, has worked astoundingly well.

I also don't really see where secured low-level protocols benefit us
(TLUG members running private internet hosts vs. them = e-commerce
entities).  We've got TLS protocols to give us secure virtual
circuits.  https is a little more expensive to implement, but
buccaneers can implement that and offer up trojans for download via
https.  SSH and PGP offer a very flexible set of ways to communicate
securely over the public Internet; where is the benefit to us of
IPsec?

Yes, email, wiki, and DNS are problems.  But email and wiki are
insecure by high-level design, and DNS is a discovery protocol; it
must be open to the public or it's worthless.

On the contrary, the more security (ie, exclusive use) is built into
the underlying protocols and made the default, the more services
offered on the Internet will be set up for exclusive use.  I can't see
this as a net positive to you.

 > I may be wrong in my stance; but my call is to protect my network
 > at any cost.

My claim is that you're not doing that.  From your *very* local point
of view you see no benefit to accepting ICMP and some security risk to
doing so.  That is true as far as it goes, but that is the same excuse
that is always made for disregarding standards[1].  "The standard sucks
and it doesn't take into account my circumstances."  Well, la-di-dah!
The whole point of standards is to get in the way of you responding
optimally to your local circumstances, so that the environment can be
improved.

So what you are doing is destroying the Internet to save it.  This is
not a profit to you.

Footnotes: 
[1]  Not to mention refusing to cooperate in other ways.