Re: [OPSAWG] I-D Action: draft-gont-opsawg-firewalls-analysis-01.txt
Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 19 October 2015 02:52 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C6391A00F4 for <opsawg@ietfa.amsl.com>; Sun, 18 Oct 2015 19:52:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.322
X-Spam-Level:
X-Spam-Status: No, score=-0.322 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FUZZY_CREDIT=1.678, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SKE_w7l4I7r9 for <opsawg@ietfa.amsl.com>; Sun, 18 Oct 2015 19:52:22 -0700 (PDT)
Received: from mail-pa0-x22e.google.com (mail-pa0-x22e.google.com [IPv6:2607:f8b0:400e:c03::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93EFD1A00B1 for <opsawg@ietf.org>; Sun, 18 Oct 2015 19:52:22 -0700 (PDT)
Received: by padhk11 with SMTP id hk11so14648032pad.1 for <opsawg@ietf.org>; Sun, 18 Oct 2015 19:52:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:organization:message-id:date:user-agent :mime-version:in-reply-to:content-type:content-transfer-encoding; bh=DxbfjLB784889KpEKPPNK9vPMG+n8J/hiSKOvhZSxQo=; b=GkcuhU0IPZvdLfzlAVFiImeK7xdQ9Q0PnT8DUHgtbSDxKHUGTSVtHa+8oM+0QyZGbf jICx63xc2E2gW/fuPQDnqFTQmuVOIsp3hGIT5b6dV+HVw6ig88Vpi4wxhClBXL5+jm62 DXhwo0PPNEbzo32CHvUWD6thiFWJfPNQYYDXbRSgv6cmnLX+00pqwCLHxUuTFu6iDubA 8IY9wbOYf8jnuAR0lMpfuXZh6f6BBcxtv4WIQ/2qNj6YzPK+6zTI4PbDELL28J49+FTF gY0mTvJdgut/AXszZXHDqG2ERQRyPGlsJT0oobA7fwxCoU0KRvCVnwD/zF8ZKXBTOkwr 9k7Q==
X-Received: by 10.66.158.233 with SMTP id wx9mr31944156pab.157.1445223142031; Sun, 18 Oct 2015 19:52:22 -0700 (PDT)
Received: from [192.168.178.25] (221.231.69.111.dynamic.snap.net.nz. [111.69.231.221]) by smtp.gmail.com with ESMTPSA id z12sm33150581pbt.30.2015.10.18.19.52.19 for <opsawg@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 18 Oct 2015 19:52:20 -0700 (PDT)
To: opsawg@ietf.org
References: <20151013134530.1812.97650.idtracker@ietfa.amsl.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <56245AE1.405@gmail.com>
Date: Mon, 19 Oct 2015 15:52:17 +1300
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <20151013134530.1812.97650.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsawg/hIVpKPKiX04jrjDN8ugWZBu-WEU>
Subject: Re: [OPSAWG] I-D Action: draft-gont-opsawg-firewalls-analysis-01.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Oct 2015 02:52:23 -0000
Hmm. I've finally made time to read this draft, to find out what the fuss is about... Firstly, I have to find a polite way of saying... well, I can't, so here it is: delete the Introduction and try again. I think the present text is guaranteed to annoy just about everybody, and evidently it will not "end the bickering." (I gave my own potted history of security in the IETF in the plenary at IETF 88, slides 2-4.) Then, I can see 12 RFCs in the index whose titles include the word 'firewall' and that only scratches the surface; there are literally hundreds of references to firewalls in existing RFCs. IMHO, if this draft aims to survey the field, it needs to survey the IETF and non-IETF literature much better (perhaps as an appendix). Overall, this draft seems to me to be an opinion piece. That's fine of course, everyone is entitled to state their opinion, but I'm not sure that it helps the IETF to know what to do next. It reads more like a CCR editorial article or an Independent Submission RFC. To some more specific comments: Section 4.1 seems to increase rather than decrease the popular confusion between firewall functions and NAT functions. I would prefer to see NAT described in a separate section *as a side issue*. NAT failure modes are not the same as firewall failure modes. Section 4.3 cites draft-vyncke-advanced-ipv6-security, which is very dead as far as I can tell. I don't think we should be citing dead work in a current IETF draft. Regards Brian Carpenter
- Re: [OPSAWG] I-D Action: draft-gont-opsawg-firewa… Brian E Carpenter
- Re: [OPSAWG] I-D Action: draft-gont-opsawg-firewa… Blumenthal, Uri - 0553 - MITLL
- Re: [OPSAWG] I-D Action: draft-gont-opsawg-firewa… Mark Andrews
- Re: [OPSAWG] I-D Action: draft-gont-opsawg-firewa… Melinda Shore
- Re: [OPSAWG] I-D Action: draft-gont-opsawg-firewa… Mark Andrews
- Re: [OPSAWG] I-D Action: draft-gont-opsawg-firewa… Fernando Gont
- Re: [OPSAWG] I-D Action: draft-gont-opsawg-firewa… Fernando Gont