[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On filibusters as a mode of technical discussion

To: bmanning@vacation.karoshi.com
Subject: Re: On filibusters as a mode of technical discussion
From: Fred Baker <fred@cisco.com>
Date: Wed, 24 Mar 2010 07:54:15 -0700
Cc: IPv6 v6ops <v6ops@ops.ietf.org>
In-reply-to: <20100324094859.GC6391@vacation.karoshi.com.>
References: <4BA78BE7.6010005@cisco.com> <EA891983-B4D3-4687-A9E2-4DC95E61FA58@cisco.com> <20100324094859.GC6391@vacation.karoshi.com.>

Bill:

I don't think you read my note very carefully. The paragraph after the one you quoted was:

> If we want to change the intent of the note, that's one thing. But we didn't yesterday decide to change the intent of the note. What we decided yesterday was to permit a second note, perhaps based on draft-vyncke-advanced-ipv6-security, that would describe an alternative security procedure. I would invite that note, and I would invite demonstration of the effectiveness of the mechanisms proposed in providing security.

That *is* a default-accept firewall.

By the way, I spoke with Eric last night suggesting that he pull together people of like mind and turn the document into something that we can consider a working group draft in Maastricht this summer. The burden of proof will be on him, Mark, and whoever collaborates with them to show that the technology they describe in fact prevents attacks; we have already heard expert commentary in the working group meeting on Monday that the premise of the service is difficult to support based on present experience.

That said, this draft was accepted by the working group as a working group draft and initially posted in June 2007, and was by design a description of a stateful firewall, which is to say, a firewall that prevents unsolicited inbound traffic. There was discussion at the time from some who didn't want a firewall described, but there was not at that time *any* discussion of anything one might call a "firewall" that by default didn't stop anything.

On Mar 24, 2010, at 2:48 AM, bmanning@vacation.karoshi.com wrote:

> On Tue, Mar 23, 2010 at 09:00:21AM -0700, Fred Baker wrote:
>> 
>> This draft was commissioned to describe a simple stateful default-deny firewall. What we decided yesterday that it would continue to describe is a simple stateful default-deny firewall. Everyone doesn't have to install one, and we decided as a group that we would have no recommendation whether they should. But for those that choose to install a simple stateful default-deny firewall, this note indicates how that should behave.
>> 
> 
> 	if i may, if this draft was commissioned (by whom?) then it seems prudent to also
> 	have a draft to descrbe a simple, stateful default-accept firewall if only to provide
> 	a balanced choice. Otherwise we (the IETF) end up with only a single choice defined
> 	and after all, if there is only a single choice, what choice is there?
> 
> --bill

http://www.ipinc.net/IPv4.GIF

References:
- On saving end-to-end transparency (was: Re: I-D.ietf-v6ops-cpe-simple-security-09)
  - From: Mark Townsley <townsley@cisco.com>
- On filibusters as a mode of technical discussion
  - From: Fred Baker <fred@cisco.com>
- Re: On filibusters as a mode of technical discussion
  - From: bmanning@vacation.karoshi.com

Prev by Date: Re: simple security
Next by Date: Re: simple security
Previous by thread: Re: On filibusters as a mode of technical discussion
Next by thread: Re: On filibusters as a mode of technical discussion
Index(es):
- Date
- Thread