Re: On filibusters as a mode of technical discussion

[Fred Baker <fred@cisco.com>]

Two comments, Mark.

First, if you're trying to prevent the Internet from having IPv6 firewalls, you're late. That horse left the barn in 2004, with Checkpoint announcing that it was "the first to secure IPv6". Per a 2007 ICANN study "at least 30% of the 42 [firewall] vendors surveyed, had IPv6 support" (http://www.icann.org/committees/security/sac021.pdf); those vendors include at least Checkpoint, Cisco, and Juniper from a very quick search on google, and consider the list in http://www.getipv6.info/index.php/IPv6_Firewalls. I can see removing any IETF recommendation that firewalls be deployed, which we agreed to Monday. I see value is specifying what, if one chooses to implement a default-deny firewall, that means.

Second, in this discussion, I use the word "filibuster" in accordance with its dictionary definition: "an action such as a prolonged speech that obstructs progress in a legislative assembly while not technically contravening the required procedures". At the mike on Monday, we had a succession of people who lined up to comment on the draft that in essence passionately repeated each other and each individually took a long-winded approach to doing so, and in so doing prevented other opinions from being expressed and consumed the available time to discuss the comments on the draft - and there were important comments on its recommendations. On the list in the last 48 hours, consider what has happened. YTD, speaking at 10:04 AM PDT on 24 March, we have had 502 comments on the v6ops list. More than half of those have come in since 11 March, related to the agenda of this meeting and the question regarding RFC 5006 (and much of that off-topic, on the question of a proposal I expect to receive from Remi for a container for DHCP options to be carried in an RA, and which I expect to refer to 6man as 6man is chartered to handle such questions) and this question. 78, or about one in six YTD, have been on this topic, phrasing it either as a comment on the draft, a plea for end to end transparency, or this thread. The message count has been:

         1      shengjiang@huawei.com
         6      remi@remlab.net
         1      ot@cisco.com
         1      marcoh@marcoh.net
         3      Fred.L.Templin@boeing.com
         2      jdunn@mitre.org
         1      lee@asgard.org
         3      remi.despres@free.fr
         1      nick@inex.ie
         2      bmanning@vacation.karoshi.com
         7      fred@cisco.com
         3      jhw@apple.com
         2      kurtis@kurtis.pp.se
         1      cb.list6@gmail.com
         3      brian.e.carpenter@gmail.com
         2      joelja@bogus.com
         1      bs7652@att.com
         1      victor.kuarsingh@gmail.com
         2      gert@space.net
         1      tony@lava.net
         1      hesham@elevatemobile.com
         4      ipng@69706e6720323030352d30312d31340a.nosense.org
        19      townsley@cisco.com
         1      yanodd@otenet.gr
         4      mohacsi@niif.hu
         1      matsuhira@jp.fujitsu.com
         4      pch-v6ops@u-1.phicoh.com

The tenor has been pretty loud from certain quarters.

I would like to distinguish between volume of mailing, both in message count and tone, and technical discourse. "I'm agin it, it disagrees with my preferred view of the world, and I will shout it down if I can" is not "honest technical opinion". If you review the discussion, I think you will find that there are some on each side of the debate, and the decision we came to Monday, to describe firewalls but make no comment recommending for or against them, and to invite an alternative solution if it passes security muster, is supported.



On Mar 24, 2010, at 7:33 AM, Mark Townsley wrote:

> 
> Just getting to this, Fred.
> 
> What I see is people stating their honest, technical, opinion.
> 
> It's coming out so rapidly, I believe, because there is a new realization by some and pent-up unspoken opinion by others that this document, along with the misunderstanding of RFC 4864's original intent, are in danger of together taking IPv6 in a way that at least a significant number of IETF members do not want to have their name behind.
> 
> - Mark
> 
> 
> 
> On 3/23/10 5:00 PM, Fred Baker wrote:
>> I'd like to bring this discussion back to a place of a little less fervor and a little more engineering, if I may. I have been staying out of it as much as anything because people really do need to be allowed to say what they think. But...
>> 
>> At the microphone yesterday, I had to cut the discussion off. My reasons were two-fold. One was that we were in the first discussion of several and the meeting time had to be preserved. The other was that successive speakers were saying the same thing, and spending a lot of time saying it. It had the effect of a filibuster, and I'm not in favor of filibusters as a means of getting technical work done.
>> 
>> It comes down to this. We as a community have two views. We would like a free and open Internet in which applications can be designed with an expectation that they can communicate amongst themselves freely. We would also like to have, and have a business need to provide for ourselves, the ability to communicate only with peer applications that have our best interests at heart. The history of humanity says that altruism is not a pervasive trait, and the history of the Internet says that we behave on the Internet the same way we do at home.
>> 
>> My corporate IT folks tell me they drop something on the order of 98% of the email sent to my account, because only 2% behaves in a manner consistent with good etiquette. At the firewall in front of my home I measure a 30 message per second standing load of messages from systems that I have no reason to allow into my home. For me, it comes down to the reason I have a door on my home and it is equipped with a lock. Someone who has a legitimate reason to be in my home also has the manners to knock on my door. If we don't see this on IPv6, it is for the same reason that I don't see viruses on my Mac - it's a sufficiently low value target that nobody is bothering to attack it. As soon as it becomes an interesting target, we can expect folks to attack it. The fact that it is not raining now is not proof that I will not need a roof at any time in the future. Non sequitor.
>> 
>> This draft was commissioned to describe a simple stateful default-deny firewall. What we decided yesterday that it would continue to describe is a simple stateful default-deny firewall. Everyone doesn't have to install one, and we decided as a group that we would have no recommendation whether they should. But for those that choose to install a simple stateful default-deny firewall, this note indicates how that should behave.
>> 
>> If we want to change the intent of the note, that's one thing. But we didn't yesterday decide to change the intent of the note. What we decided yesterday was to permit a second note, perhaps based on draft-vyncke-advanced-ipv6-security, that would describe an alternative security procedure. I would invite that note, and I would invite demonstration of the effectiveness of the mechanisms proposed in providing security.
>> 
>> Let's drop the filibuster. Please. Let's channel all this fervor into making the alternative a really good, and really honestly accurate, note.
>> 
>>   
> 

http://www.ipinc.net/IPv4.GIF