Re: ISMS working group and charter problems
"Steven M. Bellovin" <smb@cs.columbia.edu> Tue, 06 September 2005 23:54 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ECnGr-0003si-0M; Tue, 06 Sep 2005 19:54:33 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ECnGo-0003sd-9S for ietf@megatron.ietf.org; Tue, 06 Sep 2005 19:54:30 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA16641 for <ietf@ietf.org>; Tue, 6 Sep 2005 19:54:29 -0400 (EDT)
Received: from machshav.com ([147.28.0.16]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ECnJr-0001uN-DV for ietf@ietf.org; Tue, 06 Sep 2005 19:57:40 -0400
Received: by machshav.com (Postfix, from userid 512) id 85294FB27F; Tue, 6 Sep 2005 19:54:23 -0400 (EDT)
Received: from berkshire.machshav.com (localhost [127.0.0.1]) by machshav.com (Postfix) with ESMTP id 740A9FB24A; Tue, 6 Sep 2005 19:54:22 -0400 (EDT)
Received: from cs.columbia.edu (localhost [127.0.0.1]) by berkshire.machshav.com (Postfix) with ESMTP id 3B0603BFD6F; Tue, 6 Sep 2005 19:54:21 -0400 (EDT)
X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Iljitsch van Beijnum <iljitsch@muada.com>
In-Reply-To: Your message of "Wed, 07 Sep 2005 01:34:17 +0200." <E8014931-944D-42C9-A950-F3B1CFB1B0C5@muada.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Tue, 06 Sep 2005 19:54:21 -0400
Message-Id: <20050906235421.3B0603BFD6F@berkshire.machshav.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4adaf050708fb13be3316a9eee889caa
Cc: IETF Discussion <ietf@ietf.org>
Subject: Re: ISMS working group and charter problems
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org
In message <E8014931-944D-42C9-A950-F3B1CFB1B0C5@muada.com>, Iljitsch van Beijn um writes: >On 7-sep-2005, at 1:04, Steven M. Bellovin wrote: > >>> Either the firewall >>> successfully blocks the protocol and the firewall works and the >>> protocol doesn't, or the firewall doesn't manage to block the >>> protocol and the protocol works but the firewall doesn't. So whatever >>> happens, someone is going to be unhappy. > >> Not at all. Often, a firewall needs to know a fair amount about the >> protocol to do its job. FTP is the simplest case -- it has to look >> for >> the PORT (and, in some configuration, the PASV) command. H.323 and >> SIP >> are more complex. > >I'm not very comfortable with the notion of having a third party >device deciding what is valid communication between two hosts >connected to the internet. This is just too fragile. For instance, a >popular filter on *BSD (they're all named [i]pf[w] so I can never >remember which is which) is unable to handle RFC 1323 window scaling >properly. PIX firewalls truncate(d) EDNS0 packets. ICMP packet too >bigs are filtered in many places, as is ECN. > >I recognize that carrying all existing firewalls to the scrap heop >won't immediately solve our problems, but we do have to realize that >current filter practice do almost as much harm as they do good. We >really need better stuff here. > >(It's amusing to see that to some people, security means encrypting >their communication, while to others it means inspecting that same >communication.) > I opt for each in its place. I'm also an advocate for distributed firewalls. But I *really* don't want to refight the whole firewall issue yet again; I've been through that too many times in the last decade or so. For right now, though, the issue is engineering. Again, the vast majority of hosts are behind firewalls. Is the philosophical issue that important that we should ignore it? I don't think so. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb _______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
- ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Dave Crocker
- Re: ISMS working group and charter problems Daniel Senie
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- Re: ISMS working group and charter problems Sam Hartman
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Sam Hartman
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Pekka Savola
- Re: ISMS working group and charter problems Dave Crocker
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Dave Crocker
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- RE: ISMS working group and charter problems Thomas Gal
- RE: ISMS working group and charter problems Daniel Senie
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- RE: ISMS working group and charter problems Thomas Gal
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Randy Presuhn
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Harald Tveit Alvestrand
- Re: ISMS working group and charter problems Dave Singer
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- Re: ISMS working group and charter problems Brian E Carpenter
- Re: ISMS working group and charter problems Juergen Quittek
- Re: ISMS working group and charter problems Jari Arkko
- Re: ISMS working group and charter problems Juergen Quittek
- Re: ISMS working group and charter problems Jari Arkko
- Firewall considerations (Re: ISMS working group a… Harald Tveit Alvestrand
- Re: ISMS working group and charter problems Melinda Shore
- Re: ISMS working group and charter problems Margaret Wasserman
- Re: ISMS working group and charter problems Margaret Wasserman
- Re: ISMS working group and charter problems Michael Thomas
- Re: ISMS working group and charter problems Margaret Wasserman
- Confusion about ISMS rechartering Sam Hartman
- Re: Confusion about ISMS rechartering Dave Crocker
- RE: ISMS working group and charter problems Fleischman, Eric
- RE: ISMS working group and charter problems Fleischman, Eric
- RE: ISMS working group and charter problems Margaret Wasserman
- RE: ISMS working group and charter problems Fleischman, Eric
- Re: ISMS working group and charter problems Spencer Dawkins
- Re: ISMS working group and charter problems Michael Thomas
- Re: ISMS working group and charter problems Sam Hartman
- Re: ISMS working group and charter problems Juergen Quittek
- Re: ISMS working group and charter problems Daniel Senie
- RE: ISMS working group and charter problems Nelson, David
- Re: ISMS working group and charter problems Tom Petch
- Fwd: ISMS working group and charter problems Rich Morin
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Wes Hardaker
- ISMS working group and charter problems Brent Chapman