IETF Logo Mail Archive

Re: ISMS working group and charter problems

"Steven M. Bellovin" <smb@cs.columbia.edu> Tue, 06 September 2005 23:04 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ECmUs-0005yw-G1; Tue, 06 Sep 2005 19:04:58 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ECmUq-0005yh-4y for ietf@megatron.ietf.org; Tue, 06 Sep 2005 19:04:56 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA09148 for <ietf@ietf.org>; Tue, 6 Sep 2005 19:04:53 -0400 (EDT)
Received: from machshav.com ([147.28.0.16]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ECmXs-00077G-3h for ietf@ietf.org; Tue, 06 Sep 2005 19:08:05 -0400
Received: by machshav.com (Postfix, from userid 512) id BBB7AFB24A; Tue, 6 Sep 2005 19:04:52 -0400 (EDT)
Received: from berkshire.machshav.com (localhost [127.0.0.1]) by machshav.com (Postfix) with ESMTP id C3B8FFB23E; Tue, 6 Sep 2005 19:04:51 -0400 (EDT)
Received: from cs.columbia.edu (localhost [127.0.0.1]) by berkshire.machshav.com (Postfix) with ESMTP id 9BB1E3BFD6F; Tue, 6 Sep 2005 19:04:50 -0400 (EDT)
X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Iljitsch van Beijnum <iljitsch@muada.com>
In-Reply-To: Your message of "Wed, 07 Sep 2005 00:30:40 +0200." <9A2BB5EF-A137-439D-81AF-40B784D541A9@muada.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Tue, 06 Sep 2005 19:04:50 -0400
Message-Id: <20050906230450.9BB1E3BFD6F@berkshire.machshav.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 52e1467c2184c31006318542db5614d5
Cc: IETF Discussion <ietf@ietf.org>, Daniel Senie <dts@senie.com>
Subject: Re: ISMS working group and charter problems
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

In message <9A2BB5EF-A137-439D-81AF-40B784D541A9@muada.com>, Iljitsch van Beijn
um writes:
>On 7-sep-2005, at 0:16, Daniel Senie wrote:
>
>> Actually, a "Firewall Considerations" section would make sense.
>
>What would be in such a section? There are only three possibilities:
>
>1. There is no firewall: no need for text.
>2. There is a firewall, and it doesn't try to block the protocol: no  
>need for text.
>3. There is a firewall, and it tries to block the protocol.
>
>So what text would be helpful in case #3? Either the firewall  
>successfully blocks the protocol and the firewall works and the  
>protocol doesn't, or the firewall doesn't manage to block the  
>protocol and the protocol works but the firewall doesn't. So whatever  
>happens, someone is going to be unhappy.
>
Not at all.  Often, a firewall needs to know a fair amount about the 
protocol to do its job.  FTP is the simplest case -- it has to look for 
the PORT (and, in some configuration, the PASV) command.  H.323 and SIP 
are more complex.  

But for complex protocols, we need to go a step further.  SIP has, 
built-in, provision for gateways.  There are a number of reasons for 
this, but firewall friendliness is certainly one of them.  The proper 
question is this: would adding something to the protocol enable it to 
operate properly in the presence of a firewall *without* subverting 
site security policy.  The lack of that latter consideration has led to 
people using http as the universal firewall traversal protocol, with 
the obvious bad side-effects.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb



_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email