[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Retraining "IT" on networking myths (the cloud to the rescue!)

Subject: Retraining "IT" on networking myths (the cloud to the rescue!)
From: michael at rancid.berkeley.edu (Michael Sinatra)
Date: Wed, 08 Jun 2011 18:54:34 -0700
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]> <BANLkTi=1yxRca06LOuxooSh0Ueiv_15+CmT8CkuvFcXuL2Odfw@mail.gmail.com> <[email protected]> <[email protected]>

On 06/08/11 18:32, Jared Mauch wrote:

> MYTHS:
>
> TCP/53 is only for zone transfers ICMP is a security risk/ddos
> avenue Internal networks must be secured with NAT A firewall is the
> only way to secure the perimiter
>
> In fact for IPv6, ICMP is more important vs less.  Firewalls
> frequently harm and don't block data going out.  TCP/53 is needed for
> EDNS.

tcp/53 is needed when EDNS is _not_ available and DNS message size 
exceeds 512 bytes.  UDP fragments are (sometimes) necessary for EDNS.

So, that adds to your MYTHS section:

Fragmented packets (like ICMP) are always a security risk and DDoS vector

michael

References:
- World of Warcraft may begin using IPv6 on Tuesday
  - From: frnkblk at iname.com (Frank Bulk)
- World of Warcraft may begin using IPv6 on Tuesday
  - From: rps at maine.edu (Ray Soucy)
- World of Warcraft may begin using IPv6 on Tuesday
  - From: marka at isc.org (Mark Andrews)
- Retraining "IT" on networking myths (the cloud to the rescue!)
  - From: jared at puck.nether.net (Jared Mauch)

Prev by Date: Thank you Microsoft (and others)
Next by Date: Cogent IPv6
Previous by thread: Retraining "IT" on networking myths (the cloud to the rescue!)
Next by thread: Cogent IPv6
Index(es):
- Date
- Thread