Re: [OPSAWG] I-D Action: draft-gont-opsawg-firewalls-analysis-01.txt
Fernando Gont <fgont@si6networks.com> Tue, 20 October 2015 01:05 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1B831B2F9B for <opsawg@ietfa.amsl.com>; Mon, 19 Oct 2015 18:05:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.224
X-Spam-Level:
X-Spam-Status: No, score=-0.224 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FUZZY_CREDIT=1.678, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FVjQ7VIQnrgG for <opsawg@ietfa.amsl.com>; Mon, 19 Oct 2015 18:05:00 -0700 (PDT)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E19EC1B2F95 for <opsawg@ietf.org>; Mon, 19 Oct 2015 18:04:59 -0700 (PDT)
Received: from [181.46.190.53] (helo=[172.16.17.13]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from <fgont@si6networks.com>) id 1ZoLMF-0000jN-Ni; Tue, 20 Oct 2015 03:04:56 +0200
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, opsawg@ietf.org
References: <20151013134530.1812.97650.idtracker@ietfa.amsl.com> <56245AE1.405@gmail.com>
From: Fernando Gont <fgont@si6networks.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <5625934B.4070006@si6networks.com>
Date: Mon, 19 Oct 2015 22:05:15 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <56245AE1.405@gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsawg/j01-2qL-fgyCVEkdvpb6dcHw3_U>
Subject: Re: [OPSAWG] I-D Action: draft-gont-opsawg-firewalls-analysis-01.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Oct 2015 01:05:01 -0000
Hi, Brian, Thanks so much for your feedback! Please find my comments in-line... On 10/18/2015 11:52 PM, Brian E Carpenter wrote: > Hmm. I've finally made time to read this draft, to find out what the > fuss is about... > > Firstly, I have to find a polite way of saying... well, I can't, so > here it is: delete the Introduction and try again. I think the present > text is guaranteed to annoy just about everybody, and evidently it will > not "end the bickering." Point taken. The intro will be replaced. While we're past the I-D submission cutoff, I'll craft replacing text and post it here for review. > (I gave my own potted history of security in the IETF in the plenary > at IETF 88, slides 2-4.) Thanks for the pointer. I will go through it. > Then, I can see 12 RFCs in the index whose titles include the word 'firewall' > and that only scratches the surface; there are literally hundreds of references > to firewalls in existing RFCs. IMHO, if this draft aims to survey the field, > it needs to survey the IETF and non-IETF literature much better (perhaps as > an appendix). Will do. > Overall, this draft seems to me to be an opinion piece. That's fine of course, > everyone is entitled to state their opinion, but I'm not sure that it helps > the IETF to know what to do next. It reads more like a CCR editorial article > or an Independent Submission RFC. Among other things, I think it is useful in implicitly noting areas where further work is needed. > To some more specific comments: > > Section 4.1 seems to increase rather than decrease the popular confusion > between firewall functions and NAT functions. I would prefer to see > NAT described in a separate section *as a side issue*. NAT failure modes > are not the same as firewall failure modes. I think that people confuse NAT device vs. NAT functionality. A NAT device enforces, as a side effect, a diode-firewall (only allow return traffic) functionality. Address Translation itself has nothing to do with firewalling, but the side a effect does. That said, we'll move the NAT stuff to a separate section. Other folks seem to share your opinion, too. > Section 4.3 cites draft-vyncke-advanced-ipv6-security, which is very dead > as far as I can tell. I don't think we should be citing dead work > in a current IETF draft. Point taken. Although they might revise soon -- we'll remove or keep it based on what they do about it. Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- Re: [OPSAWG] I-D Action: draft-gont-opsawg-firewa… Brian E Carpenter
- Re: [OPSAWG] I-D Action: draft-gont-opsawg-firewa… Blumenthal, Uri - 0553 - MITLL
- Re: [OPSAWG] I-D Action: draft-gont-opsawg-firewa… Mark Andrews
- Re: [OPSAWG] I-D Action: draft-gont-opsawg-firewa… Melinda Shore
- Re: [OPSAWG] I-D Action: draft-gont-opsawg-firewa… Mark Andrews
- Re: [OPSAWG] I-D Action: draft-gont-opsawg-firewa… Fernando Gont
- Re: [OPSAWG] I-D Action: draft-gont-opsawg-firewa… Fernando Gont