[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FW: Begin WG Last Call on draft-ietf-opsec-filter-caps-04

To: <opsec@ops.ietf.org>
Subject: FW: Begin WG Last Call on draft-ietf-opsec-filter-caps-04
From: "patrick cain" <pcain@coopercain.com>
Date: Sun, 12 Nov 2006 11:18:55 -0500

Hi,
Forwarding. I thought the WG was cc-ed.
Pat

-----Original Message-----
From: Copley, Timothy [mailto:Timothy.Copley@GlobalCrossing.com] 
Sent: Thursday, October 26, 2006 7:34 PM
To: patrick cain
Subject: RE: Begin WG Last Call on draft-ietf-opsec-filter-caps-04

My comments.

 3.2 Select traffic to the device.
MUST have the ability to differentiate via Socket/port, ip src/dst, ip
subnet, DSCP, TOS, Protocol, MTU Should have the ability to do a combination
of two or more.

3.3 Must have ability to differentiate via Protocol

3.4 Dropped traffic Must be accounted for

3.7 Not sure it's necessary to have the name there, but must have the
ability.

4.1 must have ability to account for permit, reject, drop

4.1 must have ability to work in conjunction with 4.2

4.2 Must use Bit, not Bytes for the limit. (I've had some small vendors (And
large ones) specify
      all the values in Bytes).  It really makes it a pain.

4.3 Should  Where 4.5 is a MUST

4.3 Must have ability to log external, should have ability to log internal

7.1 This is huge,  I don't think it's a fair requirement for this document.
This essentially requires the box to be able to track state between flows
and between interfaces.
It makes the box essentially
become a firewall.  While it would be nice to have on all boxes.  I don't
think you will have everybody following this BCP / RFC.  Better to leave
this out, and get the rest of the things you want.  This could easily be a
separate document.

7.2 this is either a IDS option or a Filter described earlier.  I think you
are going to have people ignoring this BCP/RFC if this is a requirement
(IDS).  I would probably make this a different document.

7.3 this could also be a subnet range or source interface.

Format of this is confusing.  Where you are separating out logging /
counting from the filter / rate limiting.
I understand it's so you don't have to type the same paragraph for each
section, however it might make more sense to break it back down into each
section.

Anyway this is needed.

TimC
Tim Copley
timc@gblx.net
Global Crossing

> -----Original Message-----
> From: owner-opsec@psg.com [mailto:owner-opsec@psg.com] On Behalf Of 
> patrick cain
> Sent: Thursday, October 26, 2006 2:01 PM
> To: opsec@ops.ietf.org
> Subject: Begin WG Last Call on draft-ietf-opsec-filter-caps-04
> 
> Hi,
> The authors and co-chars think that this document is ready for 
> progression.
> This begins working group last call on:
> 
> http://www.ietf.org/internet-drafts/draft-ietf-opsec-filter-ca
ps-04.txt
> 
> "Filtering and Rate Limiting Capabilities for IP Network 
> Infrastructure"
> 
> The last call will terminate two weeks from tomorrow (Friday November 
> 9, 2006).
> Note that this is at the end of an IETF meeting. Since we are
> *not* having a
> 
> face-to-face meeting, this could be a very productive use of your 
> expected two-hours of OPSEC time. ;)
> 
> Comments to the list please.
> 
> thanks, Ross and Pat
> 
> P.s.	We are going to last call all the *-caps documents 
> one-at-a-time,
> with 
> 	some space between them, over the next month(s) to finish them. If 
> you
> 	finish this one early, feel free to start on another one....
> 
> 
>

Prev by Date: Begin WG Last Call on draft-ietf-opsec-filter-caps-04
Next by Date: Fwd: [SAVA] ietf-bcp38bis mailing list [Was: RFC2827-bis comments solicitation]
Previous by thread: Begin WG Last Call on draft-ietf-opsec-filter-caps-04
Next by thread: Fwd: [SAVA] ietf-bcp38bis mailing list [Was: RFC2827-bis comments solicitation]
Index(es):
- Date
- Thread