[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On filibusters as a mode of technical discussion

To: Fred Baker <fred@cisco.com>
Subject: Re: On filibusters as a mode of technical discussion
From: Mark Townsley <townsley@cisco.com>
Date: Wed, 24 Mar 2010 19:40:41 +0100
Cc: IPv6 v6ops <v6ops@ops.ietf.org>
In-reply-to: <34F53906-55DB-474E-A948-3A9DF3AD6B92@cisco.com>
References: <4BA78BE7.6010005@cisco.com> <EA891983-B4D3-4687-A9E2-4DC95E61FA58@cisco.com> <4BAA22A5.4080500@cisco.com> <34F53906-55DB-474E-A948-3A9DF3AD6B92@cisco.com>
User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3

On 3/24/10 7:12 PM, Fred Baker wrote:

Two comments, Mark.

First, if you're trying to prevent the Internet from having IPv6 firewalls, you're late. That horse left the barn in 2004, with Checkpoint announcing that it was "the first to secure IPv6". Per a 2007 ICANN study "at least 30% of the 42 [firewall] vendors surveyed, had IPv6 support" (http://www.icann.org/committees/security/sac021.pdf); those vendors include at least Checkpoint, Cisco, and Juniper from a very quick search on google, and consider the list in http://www.getipv6.info/index.php/IPv6_Firewalls. I can see removing any IETF recommendation that firewalls be deployed, which we agreed to Monday. I see value is specifying what, if one chooses to implement a default-deny firewall, that means.

All of the data above are with respect to firewalls for IPv6-enabledbusinesses, not residential consumer networks. In my discussion, I amvery much separating the issue of enterprise IT-managed firewalls vs.residential "consumer" firewalls, since the draft is only targetingresidential or "small business" sites.

I have no problem with enterprise managed IPv6 firewalls. The assetsbeing protected, the management staff operating the equipment, and thetypes of applications being run are all very different than the typicalresidential site. There is some overlap, for telecommuting workers suchas yourself, but by and large these are very different use-cases. Thev6ops draft is *not* targeting enterprise firewalls at all. If it was,we wouldn't be agonizing over well-defined defaults, for one.

I would like to distinguish between volume of mailing, both in message count and tone, and technical discourse. "I'm agin it, it disagrees with my preferred view of the world, and I will shout it down if I can" is not "honest technical opinion". If you review the discussion, I think you will find that there are some on each side of the debate, and the decision we came to Monday, to describe firewalls but make no comment recommending for or against them, and to invite an alternative solution if it passes security muster, is supported.

Then consider much of the discussion as a prelude to what kind ofalternative solution we need. If we are to have an alternative, thosethat do not agree with the current status quo need to be able to state why.

On "filibustering" and the number of messages you are seeing from me, Isuppose you are seeing what happens on email when I don't get a chanceto speak at the mic in person. Apologies, it doesn't happen often.


- Mark



On Mar 24, 2010, at 7:33 AM, Mark Townsley wrote:

Just getting to this, Fred.

What I see is people stating their honest, technical, opinion.

It's coming out so rapidly, I believe, because there is a new realization by some and pent-up unspoken opinion by others that this document, along with the misunderstanding of RFC 4864's original intent, are in danger of together taking IPv6 in a way that at least a significant number of IETF members do not want to have their name behind.

- Mark



On 3/23/10 5:00 PM, Fred Baker wrote:

I'd like to bring this discussion back to a place of a little less fervor and a little more engineering, if I may. I have been staying out of it as much as anything because people really do need to be allowed to say what they think. But...

At the microphone yesterday, I had to cut the discussion off. My reasons were two-fold. One was that we were in the first discussion of several and the meeting time had to be preserved. The other was that successive speakers were saying the same thing, and spending a lot of time saying it. It had the effect of a filibuster, and I'm not in favor of filibusters as a means of getting technical work done.

It comes down to this. We as a community have two views. We would like a free and open Internet in which applications can be designed with an expectation that they can communicate amongst themselves freely. We would also like to have, and have a business need to provide for ourselves, the ability to communicate only with peer applications that have our best interests at heart. The history of humanity says that altruism is not a pervasive trait, and the history of the Internet says that we behave on the Internet the same way we do at home.

My corporate IT folks tell me they drop something on the order of 98% of the email sent to my account, because only 2% behaves in a manner consistent with good etiquette. At the firewall in front of my home I measure a 30 message per second standing load of messages from systems that I have no reason to allow into my home. For me, it comes down to the reason I have a door on my home and it is equipped with a lock. Someone who has a legitimate reason to be in my home also has the manners to knock on my door. If we don't see this on IPv6, it is for the same reason that I don't see viruses on my Mac - it's a sufficiently low value target that nobody is bothering to attack it. As soon as it becomes an interesting target, we can expect folks to attack it. The fact that it is not raining now is not proof that I will not need a roof at any time in the future. Non sequitor.

This draft was commissioned to describe a simple stateful default-deny firewall. What we decided yesterday that it would continue to describe is a simple stateful default-deny firewall. Everyone doesn't have to install one, and we decided as a group that we would have no recommendation whether they should. But for those that choose to install a simple stateful default-deny firewall, this note indicates how that should behave.

If we want to change the intent of the note, that's one thing. But we didn't yesterday decide to change the intent of the note. What we decided yesterday was to permit a second note, perhaps based on draft-vyncke-advanced-ipv6-security, that would describe an alternative security procedure. I would invite that note, and I would invite demonstration of the effectiveness of the mechanisms proposed in providing security.

Let's drop the filibuster. Please. Let's channel all this fervor into making the alternative a really good, and really honestly accurate, note.

http://www.ipinc.net/IPv4.GIF

Follow-Ups:
- Re: On filibusters as a mode of technical discussion
  - From: Fred Baker <fred@cisco.com>

References:
- On saving end-to-end transparency (was: Re: I-D.ietf-v6ops-cpe-simple-security-09)
  - From: Mark Townsley <townsley@cisco.com>
- On filibusters as a mode of technical discussion
  - From: Fred Baker <fred@cisco.com>
- Re: On filibusters as a mode of technical discussion
  - From: Mark Townsley <townsley@cisco.com>
- Re: On filibusters as a mode of technical discussion
  - From: Fred Baker <fred@cisco.com>

Prev by Date: Re: simple security
Next by Date: Re: On filibusters as a mode of technical discussion
Previous by thread: Re: On filibusters as a mode of technical discussion
Next by thread: Re: On filibusters as a mode of technical discussion
Index(es):
- Date
- Thread