Re: ISMS working group and charter problems
Iljitsch van Beijnum <iljitsch@muada.com> Wed, 07 September 2005 07:55 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ECumM-0007Rs-Ui; Wed, 07 Sep 2005 03:55:34 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ECumK-0007Rn-Kx for ietf@megatron.ietf.org; Wed, 07 Sep 2005 03:55:32 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA03340 for <ietf@ietf.org>; Wed, 7 Sep 2005 03:55:31 -0400 (EDT)
Received: from sequoia.muada.com ([83.149.65.1]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ECupT-0004ep-2Q for ietf@ietf.org; Wed, 07 Sep 2005 03:58:47 -0400
Received: from [82.192.90.27] (alumange.muada.com [82.192.90.27]) (authenticated bits=0) by sequoia.muada.com (8.13.3/8.13.3) with ESMTP id j877t88c077209 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO); Wed, 7 Sep 2005 09:55:09 +0200 (CEST) (envelope-from iljitsch@muada.com)
In-Reply-To: <20050906235421.3B0603BFD6F@berkshire.machshav.com>
References: <20050906235421.3B0603BFD6F@berkshire.machshav.com>
Mime-Version: 1.0 (Apple Message framework v734)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <BC6F399F-0642-44AD-90EA-BDBBC69E0EB3@muada.com>
Content-Transfer-Encoding: 7bit
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Wed, 07 Sep 2005 09:55:16 +0200
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
X-Mailer: Apple Mail (2.734)
X-Spam-Status: No, score=-2.3 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.0.2
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on sequoia.muada.com
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7baded97d9887f7a0c7e8a33c2e3ea1b
Content-Transfer-Encoding: 7bit
Cc: IETF Discussion <ietf@ietf.org>
Subject: Re: ISMS working group and charter problems
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org
On 7-sep-2005, at 1:54, Steven M. Bellovin wrote: >> I recognize that carrying all existing firewalls to the scrap heop >> won't immediately solve our problems, but we do have to realize that >> current filter practice do almost as much harm as they do good. We >> really need better stuff here. >> (It's amusing to see that to some people, security means encrypting >> their communication, while to others it means inspecting that same >> communication.) > I opt for each in its place. I'm also an advocate for distributed > firewalls. But I *really* don't want to refight the whole firewall > issue yet again; I've been through that too many times in the last > decade or so. :-) Well I wouldn't mind having this fight if I thought it would do any good, but that doesn't seem likely. What _could_ do some good is come up with better stuff than just observe packets on the wire. The exact same packet can either be completely harmless or be part of a huge security breach, depending on what software sent it / will receive it. It would be great if a security device could block packets sent by Apache 2.8 while allowing the same packets if sent by Apache 2.81. > For right now, though, the issue is engineering. Again, the vast > majority of hosts are behind firewalls. Is the philosophical issue > that important that we should ignore it? I don't think so. Well, I had occasion to write a NAT and firewall considerations section for a draft not long ago, but the trouble is: what should go in there? As long as there are no guidelines on how to interact with firewalls such sections will generally reflect the private opinions of the authors, which may or may not be useful on a case-by-case basis. (In this case, my main concern was that certain signalling traffic would be handled the same as certain other signalling traffic by firewalls, and it would be good if we could make both types of signalling be treated the same as the data traffic, but that didn't seem doable.) _______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
- ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Dave Crocker
- Re: ISMS working group and charter problems Daniel Senie
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- Re: ISMS working group and charter problems Sam Hartman
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Sam Hartman
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Pekka Savola
- Re: ISMS working group and charter problems Dave Crocker
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Dave Crocker
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- RE: ISMS working group and charter problems Thomas Gal
- RE: ISMS working group and charter problems Daniel Senie
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- RE: ISMS working group and charter problems Thomas Gal
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Randy Presuhn
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Harald Tveit Alvestrand
- Re: ISMS working group and charter problems Dave Singer
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- Re: ISMS working group and charter problems Brian E Carpenter
- Re: ISMS working group and charter problems Juergen Quittek
- Re: ISMS working group and charter problems Jari Arkko
- Re: ISMS working group and charter problems Juergen Quittek
- Re: ISMS working group and charter problems Jari Arkko
- Firewall considerations (Re: ISMS working group a… Harald Tveit Alvestrand
- Re: ISMS working group and charter problems Melinda Shore
- Re: ISMS working group and charter problems Margaret Wasserman
- Re: ISMS working group and charter problems Margaret Wasserman
- Re: ISMS working group and charter problems Michael Thomas
- Re: ISMS working group and charter problems Margaret Wasserman
- Confusion about ISMS rechartering Sam Hartman
- Re: Confusion about ISMS rechartering Dave Crocker
- RE: ISMS working group and charter problems Fleischman, Eric
- RE: ISMS working group and charter problems Fleischman, Eric
- RE: ISMS working group and charter problems Margaret Wasserman
- RE: ISMS working group and charter problems Fleischman, Eric
- Re: ISMS working group and charter problems Spencer Dawkins
- Re: ISMS working group and charter problems Michael Thomas
- Re: ISMS working group and charter problems Sam Hartman
- Re: ISMS working group and charter problems Juergen Quittek
- Re: ISMS working group and charter problems Daniel Senie
- RE: ISMS working group and charter problems Nelson, David
- Re: ISMS working group and charter problems Tom Petch
- Fwd: ISMS working group and charter problems Rich Morin
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Wes Hardaker
- ISMS working group and charter problems Brent Chapman