Re: ISMS working group and charter problems

Melinda Shore <mshore@cisco.com> Wed, 07 September 2005 11:41 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ECyIz-0001LC-TE; Wed, 07 Sep 2005 07:41:29 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ECyIx-0001Kh-Er for ietf@megatron.ietf.org; Wed, 07 Sep 2005 07:41:27 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA13071 for <ietf@ietf.org>; Wed, 7 Sep 2005 07:41:26 -0400 (EDT)
Received: from sj-iport-2-in.cisco.com ([171.71.176.71] helo=sj-iport-2.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ECyM6-0002P7-Ow for ietf@ietf.org; Wed, 07 Sep 2005 07:44:44 -0400
Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-2.cisco.com with ESMTP; 07 Sep 2005 04:41:16 -0700
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id j87BfE4u020754; Wed, 7 Sep 2005 04:41:14 -0700 (PDT)
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 7 Sep 2005 04:41:13 -0700
Received: from [10.25.65.180] ([10.25.65.180]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 7 Sep 2005 04:41:13 -0700
Message-ID: <431ED1D7.7020406@cisco.com>
Date: Wed, 07 Sep 2005 07:41:11 -0400
From: Melinda Shore <mshore@cisco.com>
User-Agent: Mozilla Thunderbird 1.0 (Macintosh/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
References: <20050906222815.4B7CC3BFD6F@berkshire.machshav.com>
In-Reply-To: <20050906222815.4B7CC3BFD6F@berkshire.machshav.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 07 Sep 2005 11:41:13.0558 (UTC) FILETIME=[0CC9B760:01C5B3A1]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8abaac9e10c826e8252866cbe6766464
Content-Transfer-Encoding: 7bit
Cc: ietf@ietf.org
Subject: Re: ISMS working group and charter problems
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

Steven M. Bellovin wrote:
> More of his measurements concluded that at least 56% of hosts are
> behind a firewall that blocks by default.

It should be pointed out here that the problems
introduced by NATs are not quite the same as
problems introduced by firewalls.  While they
both impair reachability NATs cause NATted hosts
to be unable to determine their own address (or
indeed to have an addressable presence at all
without initiating contact with another host).

In any event I think that it's a mistake to
assume that a firewall or NAT can inspect or
rewrite the contents of a data stream.  I'm not
sure that it's a good idea for the IETF to
tacitly (or otherwise) discourage encryption or
authentication.

I'm sort of "meh" on the idea of a mandatory firewall/
NAT/middlebox/filters section in protocol documents.
I'm not sure that there's a widespread problem that it
would solve.  In the case where there is a problem,
like this one, sharp eyes tend to catch it early.
We have mandatory security sections because securing
a particular protocol can be subtle and idiosyncratic
because of trust relationships and operating environment,
and firewall/NAT problems tend to be pretty much the
same from protocol to protocol with hard problems cropping
up in a small number of cases.

Melinda

_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf