RE: IPP> Notifications

Turner, Randy (rturner@sharplabs.com)
Wed, 4 Feb 1998 19:00:16 -0800

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Jay Martin: "Re: IPP> Notifications"
• Previous message: Larry Masinter: "Re: IPP> Notifications"

I am speaking about our specific installation of Checkpoint Firewall-1,
from which Cisco and a number of other vendors have licensed technology.
It is as easy to open up a TCP pipe as it is UDP. This is of course a
mechanical method. If you are talking about policy rather than how
difficult it is to actually enable UDP or TCP, then that is a different
story. Most firewall packages I'm aware of assume a certain semantic
content based upon protocol (UDP or TCP) and the associated port number.
The semantic assumptions regarding content usually stem from the
"services" and "well-known-port" documents maintained by IANA, as well
as some industry-wide de-facto standards for TCP/UDP port numbers.

I know that a number of companies participate in IP Multicast based
services and these types of applications use UDP for delivery of
content. There are other organizations that allow SNMP management
through firewalls through firewall-vendor specific authentication
techniques, as well as source IP address filtering (excepting any IP
spoofing attempts).

I'm not an expert hacker, and I also don't subscribe to alt.2600, but
the firewall product we use within our organization is the market
leader, and we securely support UDP datagrams through our firewall.

If there are CERT advisories or other real-world scenarios regarding
break-ins or other misuse of UDP datagrams to thwart security, then I
would like to know about them. These of course would need to be detailed
explanations, hopefully not of the form "Well, I've heard UDP is a
problem with firewall admins..."

Randy

-----Original Message-----
From: Larry Masinter [SMTP:masinter@parc.xerox.com]
Sent: Wednesday, February 04, 1998 6:20 PM
To: Turner, Randy
Cc: 'ipp@pwg.org'
Subject: Re: IPP> Notifications

> UDP has no more firewall or proxy problem than TCP, given any
arbitrary
> port number.
> The issues are the same for both.

Is this a "first principles" argument? That is, are you speaking
from experience
with firewall developers and maintainers, or is it just based on
reasoning
about the nature of the protocols? What I have heard, both from
local firewall maintainers at Xerox and more generally in
discussions of
firewall issues in other Internet protocols, is that there's
a substantial difference in the considerations of a site
allowing
inbound UDP packets, allowing TCP connections with known
semantic
content, and allowing inbound HTTP posts with well known data
content.

Perhaps you have some different data that you could share with
us?

Larry
--
http://www.parc.xerox.com/masinter

• Next message: Jay Martin: "Re: IPP> Notifications"
• Previous message: Larry Masinter: "Re: IPP> Notifications"

Comments are owned by the poster. All other material is Copyright © 2001-2024 The Printer Working Group. All rights reserved. IPP Everywhere, the IPP Everywhere logo, and the PWG logo are trademarks of the IEEE-ISTO.
About the PWG · Privacy Policy · PWG Webmaster