next up previous
Next: TCP Back-Channels Up: Designing an Academic Previous: User Acceptance

Protocol Design Issues


Given current application protocol design, we do not believe that it is possible to implement a pure request-response firewall policy. For example, we cannot deploy request-response filters for FTP, rsh, and other protocols that require back-channel connections. UDP-based services, in general, are also not filterable: packet filters do not maintain state information about previous packets, and without that state, the filter cannot ascertain whether a given UDP packet is a response to an outstanding request.

We address these protocol limitations in our currently-deployed firewall by either dropping packets and causing application-level failure or by providing application-level gateways on bastion hosts. We believe that in the medium-term, protocols will have to change to address problems like spoofing and connection hijacking, as well as accommodate IPv6. We therefore examine what additional protocol changes would allow a realistic packet filter to implement a pure request-response policy.

Sandeep Singhal
Thu Nov 30 01:58:58 PST 1995