Re: [pcp] Fwd: I-D Action: draft-ietf-opsawg-firewalls-01.txt
Ted Lemon <Ted.Lemon@nominum.com> Mon, 18 March 2013 12:39 UTC
Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2569E21F86C3; Mon, 18 Mar 2013 05:39:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.58
X-Spam-Level:
X-Spam-Status: No, score=-106.58 tagged_above=-999 required=5 tests=[AWL=0.019, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PZjPyfBDFkyW; Mon, 18 Mar 2013 05:39:06 -0700 (PDT)
Received: from exprod7og102.obsmtp.com (exprod7og102.obsmtp.com [64.18.2.157]) by ietfa.amsl.com (Postfix) with ESMTP id 58C8221F86C1; Mon, 18 Mar 2013 05:39:06 -0700 (PDT)
Received: from shell-too.nominum.com ([64.89.228.229]) (using TLSv1) by exprod7ob102.postini.com ([64.18.6.12]) with SMTP ID DSNKUUcK6tNxmRVmk8nyImgYEk8pwsonYX70@postini.com; Mon, 18 Mar 2013 05:39:06 PDT
Received: from archivist.nominum.com (archivist.nominum.com [64.89.228.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by shell-too.nominum.com (Postfix) with ESMTP id F28AA1B8E2B; Mon, 18 Mar 2013 05:39:05 -0700 (PDT)
Received: from webmail.nominum.com (cas-02.win.nominum.com [64.89.228.132]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by archivist.nominum.com (Postfix) with ESMTPS id E6051190043; Mon, 18 Mar 2013 05:39:05 -0700 (PDT) (envelope-from Ted.Lemon@nominum.com)
Received: from MBX-01.WIN.NOMINUM.COM ([64.89.228.133]) by CAS-02.WIN.NOMINUM.COM ([64.89.228.132]) with mapi id 14.02.0318.004; Mon, 18 Mar 2013 05:39:00 -0700
From: Ted Lemon <Ted.Lemon@nominum.com>
To: Shishio Tsuchiya <shtsuchi@cisco.com>
Thread-Topic: [pcp] Fwd: I-D Action: draft-ietf-opsawg-firewalls-01.txt
Thread-Index: AQHOI7EJSN+J5yWpzUWpGRENBWQ1s5ir2RaA
Date: Mon, 18 Mar 2013 12:38:59 +0000
Message-ID: <8D23D4052ABE7A4490E77B1A012B630775111F85@mbx-01.win.nominum.com>
References: <20121018225055.13626.59722.idtracker@ietfa.amsl.com> <5146CD8B.3030108@cisco.com>
In-Reply-To: <5146CD8B.3030108@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.1.10]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <2743AE664308C64599CF8DD5B547296D@nominum.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<opsawg@ietf.org>" <opsawg@ietf.org>, "<pcp@ietf.org>" <pcp@ietf.org>
Subject: Re: [pcp] Fwd: I-D Action: draft-ietf-opsawg-firewalls-01.txt
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2013 12:39:07 -0000
On Mar 18, 2013, at 4:17 AM, Shishio Tsuchiya <shtsuchi@cisco.com> wrote: > CPE would do firewall to the user traffic for all of delegated prefix, Home GW might do firewall to user traffic. > If security policy is same then user traffic would be double count/check on both HomeGW and CPE. > It is waste of resource and might be downgraded for user experience. > > It is enough to do by each of one. > What do think? You might want to look at the work Erik Kline and Lorenzo Colitti have been doing in homenet on homenet edge detection. As for hierarchical prefix delegation, the current way of doing it is broken—if you divide the prefix arbitrarily and delegate larger prefixes than /64 within the home, you wind up with a mess, although it does make routing simple until it fails. If you want to do prefix delegation within the home, the CPE edge router that got the delegation from the ISP should be the delegating router for the entire home, and the routers below it in the hierarchy should relay PD requests up to the CPE edge.
- [pcp] Fwd: I-D Action: draft-ietf-opsawg-firewall… Shishio Tsuchiya
- Re: [pcp] Fwd: I-D Action: draft-ietf-opsawg-fire… Ted Lemon
- Re: [pcp] Fwd: I-D Action: draft-ietf-opsawg-fire… Shishio Tsuchiya