On Thu, 26 Jan 1995, Dave Mitchell wrote: > "Jonathan M. Bresler" <jmb@kryten.Atinc.COM> writes: > >On Tue, 24 Jan 1995, Jim Duncan wrote: > > > >> > As has been pointed out, only network or > >> > transport-level encryption will entirely block these attacks. > >> > >> That's correct. That and teach people the difference between identification > >> and authentication. > > > > a filtering router is enough to prevent this attack from being > >used from "the outside". > > This is all well and good as long as there is a simple "inside"/"outside" > distinction. I am in this happy situation at the moment, and I have a filter > between my dept and the main campus which rejects external packets claiming > an internal src IP address. HOWEVER, I am likely to come under political > pressure soon to allow R-protocol, NFS, etc to a machine on the other > side of this filter. At which point my filter is virtually useless. "political pressure soon to allow R-protocol, NFS, etc" those reasons fall under the rubric of non-technical considerations. i do not belittle them; frequently the techical fix is easy, but the political situation is intolerable. can you 'spoof' the sources of the pressure? place their data on a machine that is outside, but appears to them to be inside. remember, provide management with a couple of typos to correct and they wont notice the elephant in the corner of the office. if necessary draw an integral on the elephant side---guarantees management blindness :) if necessary, you can even refer to the integral "as you can see here, the integral of packets density over time, using a poincare (;)))))) distribution of arrival times.......) you know how to do this. > So I think its true to say that as a generalisation, encryption *is* > the only way to block attacks. sounds, good. but the other is available now, with little or no implementation problems. a quick effective measure, till something better is developed. jmb Jonathan M. Bresler jmb@kryten.atinc.com | Analysis & Technology, Inc. | 2341 Jeff Davis Hwy play go. | Arlington, VA 22202 ride bike. hack FreeBSD.--ah the good life | 703-418-2800 x346