LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for December 4, 2008

KSM runs into patent trouble

Tux3: the other next-generation filesystem

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Single Packet Authorization (Linux Journal)

Single Packet Authorization (Linux Journal)

Posted Mar 7, 2007 18:28 UTC (Wed) by tialaramex (subscriber, #21167)
In reply to: Single Packet Authorization (Linux Journal) by bronson
Parent article: Single Packet Authorization (Linux Journal)

Yes, your position is more clear, I think we're pretty much on the same wavelength about what the problems are and the extent to which different techniques are appropriate, it's just that I don't agree with your choice of solution (although I agree it's working for you). I prefer elegant solutions, and I see sparse addresses as elegant while secret handshakes are not. I haven't any data as to which is more effective in practice.

Adding "more" iptables rules would constitute a non-negligible increase in attack surface for me because I don't currently use, or intend to use, iptables. Of course you could argue that using IPv6 at all, even during the lengthy (perhaps a decade or more still) transition period also increases the attack surface, but if you view IPv6 as inevitable then finding any security problems in it now seems like a good up-front investment.

My original purpose in mentioning this was to justify why I think scanning is mostly a transitory problem not worthy of creating specialised protocols and tools like the one in the article.

(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds