In a message written on Wed, Oct 29, 2003 at 02:24:54PM -0600, Kuhtz, Chris= tian wrote:
Isn't that the whole point of running a VPN connection?
Yes. What I'm saying is network operators are slowly forcing everyone to run _everything_ over a VPN like service. That's fine, but it makes network operators unable to act on the traffic at the same level they can today.
Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
I think the other point that may be escaping some people, is that as more and more connections take on this VPN-like quality, as network operators we lose any visibility into the validity of the traffic itself. Imagine how much more painful SQL Slammer would have been, if all the traffic was encapsulated in port 80 between sites, and only hit port 1434 locally? We'd suddenly be unable to quickly filter out the worm traffic, and would instead see only that our port 80 traffic was now eating our network alive--and we certainly couldn't get away with filtering that out. We'd have no choice but to build our networks large enough to handle the largest sized worm outbreak, as we'd have no option but to carry the traffic blindly from end to end, having no way to even begin to consider how to differentiate valid traffic from invalid traffic. At least today, we can decide that 92 byte ICMP echo-request packets are invalid, and drop them; or that for the most part, packets destined to port 1434 should be discarded as quickly as possible. If everything, include worm outbreaks, gets tunneled on port 80, get ready to loosen the purse strings, because there's no alternative other than add more capacity. If I were more of a conspiracy theorist, I might think that the router vendors and long-haul fiber providers might be rubbing their hands gleefuly in the background, funnelling dollars into the VPN marketplace to fund more and more products that do exactly that...it would certainly be one way to ensure that the demand for larger pipes and faster routers stays high for the next decade or so, until OS vendors learn to secure their software better. ^_^;; Matt happy to still be able to block IPs/ports at his own discretion