Re: On filibusters as a mode of technical discussion

[RÃmi Denis-Courmont <remi@remlab.net>]

On Tue, 23 Mar 2010 09:00:21 -0700, Fred Baker <fred@cisco.com> wrote:

> It comes down to this. We as a community have two views. We would like a

> free and open Internet in which applications can be designed with an

> expectation that they can communicate amongst themselves freely. We would

> also like to have, and have a business need to provide for ourselves, the

> ability to communicate only with peer applications that have our best

> interests at heart. The history of humanity says that altruism is not a

> pervasive trait, and the history of the Internet says that we behave on

the

> Internet the same way we do at home.

> 

> My corporate IT folks tell me they drop something on the order of 98% of

> the email sent to my account,



98% of which approximately 0% are filtered by a stateful firewall.



> because only 2% behaves in a manner

> consistent with good etiquette.



> At the firewall in front of my home I

> measure a 30 message per second standing load of messages from systems

that

> I have no reason to allow into my home.



30 messages of which 0 would actually hit an open port on the target

system? (not to mention the extra entropy of IPv6 addresses) Otherwise I

would reconsider my choice of software vendors if I were you...



> For me, it comes down to the reason

> I have a door on my home and it is equipped with a lock.



But the garden in front of your house is hardly protected at all, unless

you are really rich and/or a major potential target. You'll only check the

guy's identity once he rings your door bell.



Nobody said that you should let attackers deep into your computers. The

point is, the IP stack and/or the host-local firewall is typically better

at deciding what should and shouldn't go in than the CPE. Analogies will

only get you that far.



And then that's more state to be replicated into the (cheap small) CPE than

is anyway already on the end system.



(...)

> This draft was commissioned to describe a simple stateful default-deny

> firewall. What we decided yesterday that it would continue to describe is

a

> simple stateful default-deny firewall. Everyone doesn't have to install

> one, and we decided as a group that we would have no recommendation

whether

> they should. But for those that choose to install a simple stateful

> default-deny firewall, this note indicates how that should behave.



That might be what the draft says and does not say. But lets face it.

Vendors will interpret it as IETF recommends default-deny. I just need to

check the position of most Cisco dudes here, and the job description of the

main draft author (working on Apple Airport) to make myself confident about

this.





So. I am still left wondering what the point of IPv6 is if we have

default-deny? Wouldn't it be simpler to keep IPv4 + NAT then? Three years

after this draft came up and I raised this question, I am still lingering

from an answer from the "default-deny" camp.



-- 

RÃmi Denis-Courmont

http://www.remlab.net

http://fi.linkedin.com/in/remidenis