Re: [OPSAWG] [Int-area] [OPSEC] "On Firewalls in Internet Security" (Fwd: New Version Notification for draft-gont-opsawg-firewalls-analysis-00.txt)
Mark Andrews <marka@isc.org> Mon, 12 October 2015 00:26 UTC
Return-Path: <marka@isc.org>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99A931B2F3B; Sun, 11 Oct 2015 17:26:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.411
X-Spam-Level:
X-Spam-Status: No, score=-6.411 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_ABOUTYOU=0.5, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sTeZGaRQC894; Sun, 11 Oct 2015 17:25:59 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00F7A1B2F39; Sun, 11 Oct 2015 17:25:58 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.ams1.isc.org (Postfix) with ESMTPS id C4FC81FCAB9; Mon, 12 Oct 2015 00:25:55 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 88C2F16004B; Mon, 12 Oct 2015 00:25:55 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 6AA86160059; Mon, 12 Oct 2015 00:25:55 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id in2rmxRXyVLM; Mon, 12 Oct 2015 00:25:55 +0000 (UTC)
Received: from rock.dv.isc.org (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id B713A16004B; Mon, 12 Oct 2015 00:25:54 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 8F7CD3A2FFD8; Mon, 12 Oct 2015 11:25:51 +1100 (EST)
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
From: Mark Andrews <marka@isc.org>
References: <20150915004941.13204.35415.idtracker@ietfa.amsl.com> <55F76EA7.6090405@si6networks.com> <D2386149.59FC9%evyncke@cisco.com> <56179631.8060803@si6networks.com> <5617B205.5030004@gmx.net>
In-reply-to: Your message of "Fri, 09 Oct 2015 14:24:37 +0200." <5617B205.5030004@gmx.net>
Date: Mon, 12 Oct 2015 11:25:51 +1100
Message-Id: <20151012002551.8F7CD3A2FFD8@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsawg/2YQl6xBz6jtMyIkyAx59U-oPmPQ>
Cc: draft-gont-opsawg-firewalls-analysis@tools.ietf.org, Internet Area <int-area@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
Subject: Re: [OPSAWG] [Int-area] [OPSEC] "On Firewalls in Internet Security" (Fwd: New Version Notification for draft-gont-opsawg-firewalls-analysis-00.txt)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Oct 2015 00:26:00 -0000
In message <5617B205.5030004@gmx.net>, Hannes Tschofenig writes: > > Dear authors, > > Who is the target audience for this document? > > Do you think that audience cares about your opinion particularly since > firewalls are around for a little while already? (One might argue that > you are about 20 years late with this document.) > > Aren't you worried that readers might think you are a bit biased? I > would be more interested to read a document written by an end-host-based > firewall manufacturer that argues for the deployment of network-based > firewalls. > > Ciao > Hannes > > PS: The recommendations do not appear to be new and have been mentioned > in other documents already. Lots of the content is pertanent today. Look at the treatement of DNS packets in todays firewalls. It took years to get EDNS packets larger then 512 bytes through most firewalls by default. Some still block packets bigger than 512 bytes. There are firewalls that block queries that are not in a small set to types. There are firewalls that block fragmented responses leaving the site. Who is the firewall protecting in this case and is it really the firewall's job to do that protection? There are firewalls that block fragmented responses to outgoing queries. How hard is it to add permit <src-addr,dst-addr,proto=udp, fragoffset!=0> when adding <src-addr,dst-addr,proto=udp,src-port=53, dst-port=???> to allow reply traffic through? Open up a slit for the non initial fragments. There are still firewalls that block queries with the DO bit. This breaks DNSSSEC. There are firewalls that block queries with the AD bit. The use of AD is documented in RFC 6840. There are firewalls that block queries with the last reserved DNS header bit set. The bit should be ignored by the server. There are firewalls that block requests with a unknown opcode. This should elicit a NOTIMP from the server. Firewalls are blocking EDNS packets with the version != 0 which breaks EDNS version negotiation and with that the ability to use the feature reliably in future enhancements. This is despite the initial EDNS specification (RFC 2671) saying to return BADVERS to such packets. Firewalls are blocking EDNS packets with unknown EDNS flags despite the initial EDNS specifiction (RFC 2671) saying that servers need to ignore them. Firewall that block unknown EDNS options. This is going to impact on the deployment of EDNS COOKIES. Unknown EDNS options are supposed to be ignored, RFC 6891. This behaviour was undefined in RFC2671. The DNS is a query response protocol. If you don't get response it is a little hard to tell if the server is down, if a packet just got lost, if there is a router down or if it is a stupid firewall vendor that thinks it is useful to drop well defined queries with well defined response behaviour specified. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [OPSAWG] "On Firewalls in Internet Security" (Fwd… Fernando Gont
- Re: [OPSAWG] [OPSEC] "On Firewalls in Internet Se… Panos Kampanakis (pkampana)
- Re: [OPSAWG] [OPSEC] "On Firewalls in Internet Se… Linda Dunbar
- Re: [OPSAWG] [OPSEC] "On Firewalls in Internet Se… Melinda Shore
- Re: [OPSAWG] [OPSEC] "On Firewalls in Internet Se… Fernando Gont
- Re: [OPSAWG] [OPSEC] "On Firewalls in Internet Se… Fernando Gont
- Re: [OPSAWG] [OPSEC] "On Firewalls in Internet Se… Fernando Gont
- Re: [OPSAWG] [OPSEC] "On Firewalls in Internet Se… Blumenthal, Uri - 0553 - MITLL
- Re: [OPSAWG] [OPSEC] "On Firewalls in Internet Se… Panos Kampanakis (pkampana)
- Re: [OPSAWG] [OPSEC] "On Firewalls in Internet Se… Linda Dunbar
- Re: [OPSAWG] [OPSEC] "On Firewalls in Internet Se… Linda Dunbar
- Re: [OPSAWG] [OPSEC] "On Firewalls in Internet Se… Black, David
- Re: [OPSAWG] [OPSEC] "On Firewalls in Internet Se… Eric Vyncke (evyncke)
- Re: [OPSAWG] [OPSEC] "On Firewalls in Internet Se… Fernando Gont
- Re: [OPSAWG] [Int-area] [OPSEC] "On Firewalls in … Hannes Tschofenig
- Re: [OPSAWG] [Int-area] [OPSEC] "On Firewalls in … Mark Andrews
- Re: [OPSAWG] [Int-area] [OPSEC] "On Firewalls in … Blumenthal, Uri - 0553 - MITLL
- Re: [OPSAWG] [Int-area] [OPSEC] "On Firewalls in … Fernando Gont
- Re: [OPSAWG] [Int-area] [OPSEC] "On Firewalls in … Fernando Gont
- Re: [OPSAWG] [Int-area] [OPSEC] "On Firewalls in … Mark Andrews