[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On saving end-to-end transparency

To: "STARK, BARBARA H (ATTLABS)" <bs7652@att.com>
Subject: Re: On saving end-to-end transparency
From: Mark Townsley <townsley@cisco.com>
Date: Mon, 22 Mar 2010 20:38:10 +0100
Cc: IPv6 v6ops <v6ops@ops.ietf.org>
In-reply-to: <750BF7861EBBE048B3E648B4BB6E8F4F123E068F@crexc50p>
References: <4BA78BE7.6010005@cisco.com> <750BF7861EBBE048B3E648B4BB6E8F4F123E068F@crexc50p>
User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3

For my part, I have no problem with a group of people defining how tobuild some rendition of an IPv6 firewall, as long as the readerunderstands that it is some sort of "best guess" between what IPv6 wasdesigned to be and what IPv4 has become to be.

What I do have a problem with is the IETF making a recommendation thatresidential IPv6 users should sit behind such a firewall by default.Despite anyone's interpretation of it, RFC 4864 was not intended to makethis kind of proclamation (I think Brian has made that substantiallyclear of late).

And, above all, that's what I am trying to clear up. Both for thesimple-security draft, and RFC 4864.


- Mark


On 3/22/10 7:41 PM, STARK, BARBARA H (ATTLABS) wrote:

  The real decision, IMO, is whether the IETF intends to provide an RFC
that describes *how* to do the reflective session state firewall thing
that is described in RFC 4864 Section 4.2. There really just needs to be
a decision, one way or another.

- If no, that's fine. But make that decision! And understand the
consequences: Other SDOs/documents that are referencing simple-security
will revert to a RFC 4864 Section 4.2 reference; the reflective session
state firewall will be widely implemented, but there will be little to
no consistency among those implementations.

- If yes, that's great. But make that decision, and move forward! And
don't try to play some sort of bait and switch game, like keep the
simple-security name but change it from describing a reflective session
state firewall to describing something else (like rate limiting). If the
IETF doesn't want to describe how to do reflective session state
firewalls, then kill simple-security and use a different name for
describing something different -- like easy-security.

The default discussion is irrelevant. Simple-security is being seen as a
how-to guide for doing a reflective session state IPv6 firewall.
Implementers will decide for themselves whether they want it on or off,
by default.

So, please, decide! Either let simple-security go forward, as a how-to
for a reflective session state IPv6 firewall (and nothing else), or kill
it.
Barbara

References:
- On saving end-to-end transparency (was: Re: I-D.ietf-v6ops-cpe-simple-security-09)
  - From: Mark Townsley <townsley@cisco.com>
- RE: On saving end-to-end transparency (was: Re: I-D.ietf-v6ops-cpe-simple-security-09)
  - From: "STARK, BARBARA H (ATTLABS)" <bs7652@att.com>

Prev by Date: RE: On saving end-to-end transparency (was: Re: I-D.ietf-v6ops-cpe-simple-security-09)
Next by Date: RE: RFC 5006 status
Previous by thread: RE: On saving end-to-end transparency (was: Re: I-D.ietf-v6ops-cpe-simple-security-09)
Next by thread: Re: On saving end-to-end transparency (was: Re: I-D.ietf-v6ops-cpe-simple-security-09)
Index(es):
- Date
- Thread