[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: On filibusters as a mode of technical discussion
On Tue, 23 Mar 2010 09:00:21 -0700, Fred Baker <email@example.com> wrote:
> It comes down to this. We as a community have two views. We would like a
> free and open Internet in which applications can be designed with an
> expectation that they can communicate amongst themselves freely. We would
> also like to have, and have a business need to provide for ourselves, the
> ability to communicate only with peer applications that have our best
> interests at heart. The history of humanity says that altruism is not a
> pervasive trait, and the history of the Internet says that we behave on
> Internet the same way we do at home.
> My corporate IT folks tell me they drop something on the order of 98% of
> the email sent to my account,
98% of which approximately 0% are filtered by a stateful firewall.
> because only 2% behaves in a manner
> consistent with good etiquette.
> At the firewall in front of my home I
> measure a 30 message per second standing load of messages from systems
> I have no reason to allow into my home.
30 messages of which 0 would actually hit an open port on the target
system? (not to mention the extra entropy of IPv6 addresses) Otherwise I
would reconsider my choice of software vendors if I were you...
> For me, it comes down to the reason
> I have a door on my home and it is equipped with a lock.
But the garden in front of your house is hardly protected at all, unless
you are really rich and/or a major potential target. You'll only check the
guy's identity once he rings your door bell.
Nobody said that you should let attackers deep into your computers. The
point is, the IP stack and/or the host-local firewall is typically better
at deciding what should and shouldn't go in than the CPE. Analogies will
only get you that far.
And then that's more state to be replicated into the (cheap small) CPE than
is anyway already on the end system.
> This draft was commissioned to describe a simple stateful default-deny
> firewall. What we decided yesterday that it would continue to describe is
> simple stateful default-deny firewall. Everyone doesn't have to install
> one, and we decided as a group that we would have no recommendation
> they should. But for those that choose to install a simple stateful
> default-deny firewall, this note indicates how that should behave.
That might be what the draft says and does not say. But lets face it.
Vendors will interpret it as IETF recommends default-deny. I just need to
check the position of most Cisco dudes here, and the job description of the
main draft author (working on Apple Airport) to make myself confident about
So. I am still left wondering what the point of IPv6 is if we have
default-deny? Wouldn't it be simpler to keep IPv4 + NAT then? Three years
after this draft came up and I raised this question, I am still lingering
from an answer from the "default-deny" camp.