Not logged in
Log in now
Create an account
Subscribe to LWN
Pencil, Pencil, and Pencil
Dividing the Linux desktop
LWN.net Weekly Edition for June 13, 2013
A report from pgCon 2013
Little things that matter in language design
Posted May 9, 2011 4:36 UTC (Mon) by gdt (subscriber, #6284)
Particularly the lack of instrumentation, especially of problematic middleboxes such as application (de)accelerators and firewalls. Even basic monitoring is poor, link with application-performance-killing high errors rates often creeping under the radar of monitoring tools like Nagios.
It's rare to see routing designed with good choices and configured correctly. There's a simple tell-tale test: type in an unassigned IP address in the corporate network, does it error immediately or time out?
The poor state of corporate networks isn't helped by networking equipment vendors, who often ship equipment with near-essential settings off for "backward compatibility".
Finally, many sysadmins and applications are their own worst enemy. Using IP addresses rather than DNS names (they're going to regret that, come IPv6). Disabling ethernet autonegotiation. Assuming link layer connectivity for high-availability schemes. Refusing to deal with authentication and authorisation issues within the application, but pushing that into VLANs and VPNs, thus turning the corporate network into a flat layer two network, with resulting poor behaviour under fault conditions.
Posted May 9, 2011 8:39 UTC (Mon) by Cyberax (✭ supporter ✭, #52523)
I have seen many times internal services using HTTP with plain-text auth on the local networks - because administrators think it's 'secure'. Hell, probably everyone here is guilty of that.
Fortunately, situation is changing. With IPv6 it's possible to do end-to-end IPSec (which is not possible due to #(*$&(@$& NATs right now) and with DNSSEC it's possible to reliably store host certs in RDNS.
Posted May 9, 2011 12:43 UTC (Mon) by paulj (subscriber, #341)
Posted May 9, 2011 16:13 UTC (Mon) by raven667 (subscriber, #5198)
Universal end-to-end nightmare
Posted May 19, 2011 18:39 UTC (Thu) by oelewapperke (guest, #74309)
Given how many security problems we have, and how quickly they get fixed ... this is sadly a good thing.
Posted May 9, 2011 18:03 UTC (Mon) by Cyberax (✭ supporter ✭, #52523)
With IPv6 it's exactly backwards - it's a struggle NOT to make your computers globally addressable.
Posted May 9, 2011 21:48 UTC (Mon) by paulj (subscriber, #341)
Posted May 10, 2011 8:18 UTC (Tue) by Cyberax (✭ supporter ✭, #52523)
The changes will take years, so there'll be plenty of time for security to evolve. But we now have foundation for it.
Posted May 10, 2011 9:55 UTC (Tue) by paulj (subscriber, #341)
Posted May 10, 2011 11:50 UTC (Tue) by Cyberax (✭ supporter ✭, #52523)
And corporate networks will benefit from end-to-end security most, so I expect that they'll migrate to IPsec even before home users.
Posted May 10, 2011 17:35 UTC (Tue) by dlang (✭ supporter ✭, #313)
Posted May 10, 2011 17:41 UTC (Tue) by Cyberax (✭ supporter ✭, #52523)
Besides, it's not like I can't make an HTTPS tunnel which can pierce all but the most paranoid firewalls right now. Skype does this, for example.
Posted May 10, 2011 21:37 UTC (Tue) by Tobu (subscriber, #24111)
Posted May 10, 2011 21:45 UTC (Tue) by raven667 (subscriber, #5198)
Posted May 19, 2011 18:40 UTC (Thu) by oelewapperke (guest, #74309)
And it's perfectly secure.
Posted May 23, 2011 4:24 UTC (Mon) by RobertBrockway (guest, #48927)
Posted May 11, 2011 18:36 UTC (Wed) by Baylink (subscriber, #755)
The problem with utopias is that it only takes *one* Bad Guy to fuck things up for the rest of us.
"That's not a feature, that's a bug."
Posted May 12, 2011 13:42 UTC (Thu) by Cyberax (✭ supporter ✭, #52523)
Posted May 19, 2011 18:46 UTC (Thu) by oelewapperke (guest, #74309)
It kinda does solve a lot of problems.
I mean, I hate nat just like the next guy. But you won't get anywhere by declaring it doesn't solve anything. You'll be just like gaia idiots screaming before the capitol to get America off oil, not realizing they're basically asking America to cut it's economy by 95% or more. Not going to happen (and it's a *good* thing we don't honor such requests)
NAT is a beautifully simple solution. And it is possible to modify just about any protocol to work with nat. I fear nat and ipv4 may be here to stay.
Certainly converting RIPE, APNIC and AFRINIC over to ARIN rules would give us another 10 years easily. Saying "an IP will cost you $0.01 per year" will get us another 100 years.
Posted May 19, 2011 19:11 UTC (Thu) by nybble41 (subscriber, #55106)
Anyway, most home routers aren't much more secure with NAT, since they allow ports to be forwarded via UPnP requests. If you're running a server and opening forwarding ports with UPnP you might as well permit direct access; if not, blocking the connection at the server (because the port is closed) is just as effective as blocking it at the firewall. An effective firewall must be configured by the network administrator to accept or reject specific traffic, not simply permit incoming connections to any local server that asks politely while blocking the ones which would have been rejected anyway.
Blame the network
Posted May 9, 2011 5:35 UTC (Mon) by ringerc (subscriber, #3071)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds