[pcp] Fwd: I-D Action: draft-ietf-opsawg-firewalls-01.txt
Shishio Tsuchiya <shtsuchi@cisco.com> Mon, 18 March 2013 08:17 UTC
Return-Path: <shtsuchi@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C970421F88EA; Mon, 18 Mar 2013 01:17:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.799
X-Spam-Level:
X-Spam-Status: No, score=-8.799 tagged_above=-999 required=5 tests=[AWL=-0.600, BAYES_00=-2.599, J_CHICKENPOX_24=0.6, J_CHICKENPOX_35=0.6, J_CHICKENPOX_43=0.6, J_CHICKENPOX_53=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w21R7OPDfesT; Mon, 18 Mar 2013 01:17:22 -0700 (PDT)
Received: from bgl-iport-2.cisco.com (bgl-iport-2.cisco.com [72.163.197.26]) by ietfa.amsl.com (Postfix) with ESMTP id AABEC21F88D8; Mon, 18 Mar 2013 01:17:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2693; q=dns/txt; s=iport; t=1363594642; x=1364804242; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=WHKtZJJyn2OdWS2NvI8VZmRPktPEk+mjsAIxFjsIh+I=; b=m79TN1OIT40NqcNpyjG3AHezDIEIuhntPwMR0OrwVKzMX0iDJ4PIbJpC Qr2T3cEQ/f5R/gwJiHwczFUqcrdsDXtRMK1kBDIKjjtDSEIdc2dKbWeaZ rL01w3bUzRKZ4bUEx+IsJciA+9Y94cCWG9DajTP6ilwxGVGpHiT9Dtsje Y=;
X-IronPort-AV: E=Sophos;i="4.84,863,1355097600"; d="scan'208";a="27727463"
Received: from vla196-nat.cisco.com (HELO bgl-core-4.cisco.com) ([72.163.197.24]) by bgl-iport-2.cisco.com with ESMTP; 18 Mar 2013 08:17:16 +0000
Received: from dhcp-10-141-41-17.cisco.com (dhcp-10-141-41-17.cisco.com [10.141.41.17]) by bgl-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id r2I8HFtf014804; Mon, 18 Mar 2013 08:17:15 GMT
Message-ID: <5146CD8B.3030108@cisco.com>
Date: Mon, 18 Mar 2013 17:17:15 +0900
From: Shishio Tsuchiya <shtsuchi@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130307 Thunderbird/17.0.4
MIME-Version: 1.0
To: opsawg@ietf.org, pcp@ietf.org
References: <20121018225055.13626.59722.idtracker@ietfa.amsl.com>
In-Reply-To: <20121018225055.13626.59722.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="ISO-2022-JP"
Content-Transfer-Encoding: 7bit
Subject: [pcp] Fwd: I-D Action: draft-ietf-opsawg-firewalls-01.txt
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2013 08:17:23 -0000
I read the draft,and I think this is useful for decistion of operators's security policy and vendor's implementation. BTW,Today's IPv6 network environment easy to build cascade networks,because most of CPE equipment already implemented "hierarchical DHCPv6 Prefix Delegation" and most of ISP provides IPv6 prefix by dhcp-pd. http://tools.ietf.org/html/draft-chakrabarti-homenet-prefix-alloc-01#section-6 User---|Home GW|----|CPE|-------ISP network <--DHCP-pd <--DHCP-pd In this case,who should act Firewall security? CPE would do firewall to the user traffic for all of delegated prefix, Home GW might do firewall to user traffic. If security policy is same then user traffic would be double count/check on both HomeGW and CPE. It is waste of resource and might be downgraded for user experience. It is enough to do by each of one. What do think? If security policy differs among CPE and Home GW,then it might need to communicate and exchange policy. Does PCP would be useful for this case? Regards, -Shishio -------- Original Message -------- Subject: I-D Action: draft-ietf-opsawg-firewalls-01.txt Date: Thu, 18 Oct 2012 15:50:55 -0700 From: <internet-drafts@ietf.org> Reply-To: <internet-drafts@ietf.org> To: <i-d-announce@ietf.org> CC: <opsawg@ietf.org> A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Operations and Management Area Working Group Working Group of the IETF. Title : On Firewalls in Internet Security Author(s) : Fred Baker Paul Hoffman Filename : draft-ietf-opsawg-firewalls-01.txt Pages : 10 Date : 2012-10-18 Abstract: This document discusses the most important operational and security implications of using modern firewalls in networks. It makes recommendations for operators of firewalls, as well as for firewall vendors. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-opsawg-firewalls There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-opsawg-firewalls-01 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=draft-ietf-opsawg-firewalls-01 Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ I-D-Announce mailing list I-D-Announce@ietf.org https://www.ietf.org/mailman/listinfo/i-d-announce Internet-Draft directories: http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt . .
- [pcp] Fwd: I-D Action: draft-ietf-opsawg-firewall… Shishio Tsuchiya
- Re: [pcp] Fwd: I-D Action: draft-ietf-opsawg-fire… Ted Lemon
- Re: [pcp] Fwd: I-D Action: draft-ietf-opsawg-fire… Shishio Tsuchiya