Mailinglist Archive: opensuse (4446 mails)

< Previous Next >
[opensuse] Re: don't set Reply-to!! (was NO PERSONAL REPLIES...)
  • From: Joachim Schrod <jschrod@xxxxxxx>
  • Date: Fri, 08 Dec 2006 13:20:06 +0100
  • Message-id: <elbl9n$v4c$1@xxxxxxxxxxxxx>
Joachim Schrod wrote:

I hate to reply to myself, but I forgot:


To quote Jon Postel in RFC 761, the TCP definition from Januay 1980,
the last two lines on page 12:

be conservative in what you do, be liberal in what you accept from
others.

Words to keep in mind, they served us well in more than 25 years --
RIP Jon Postel.

JE> You know where this RFC attitude brought us - Web browsers accepting
JE> broken HTML, resulting in sloppy non-standard pages that display in
JE> less than average of the browsers.

JE> Especially when it comes to
JE> security, e.g. firewalls, it's better to turn the RFC quote:

JE> Be conservative in what you accept and be
JE> liberal in what you do.
JE> [http://jengelh.hopto.org/p/jen_ipfw/TECH.txt]

A tip: you might want to read the early RFCs at some time. They are really valuable. `To be liberal in what you accept from others' does NOT mean to accept any service request from the outside and keep every connection open. In fact, to re-interpret that sentence as meaning that one should accept all incoming connections and keep all services open is against the RFC intentions, and a blatant attempt at a history rewrite.

The cited principle realizes robustness; it means to be able to handle misformed connection attempts and protocol contents properly, without going into inconsistent states of one's software. E.g., to be able to handle misformed IP packets, or to be able to handle requests that are outside the FSA of a protocol. We really don't want inconsistent states in our software because somebody violates the SSL protocol; or the SMTP protocol, for that matter. That kind of attitude leaves us without robust software and brings us security holes.

Robustness, as urged by Jon Postel in this sentence, is urgently needed in all our security-related software and nothing to mock about. As it is, Jon knew more about the Internet and how to create a robust and secure network than you. (And, in fact, more than I; I met him, I know and accept it.)

Joachim

--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Joachim Schrod Email: jschrod@xxxxxxx
Roedermark, Germany

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >