IETF Logo Mail Archive

Re: [pntaw] New version of draft-hutton-rtcweb-nat-firewall-considerations

Melinda Shore <melinda.shore@gmail.com> Mon, 23 September 2013 06:47 UTC

Return-Path: <melinda.shore@gmail.com>
X-Original-To: pntaw@ietfa.amsl.com
Delivered-To: pntaw@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A40E11E819B for <pntaw@ietfa.amsl.com>; Sun, 22 Sep 2013 23:47:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.443
X-Spam-Level:
X-Spam-Status: No, score=-2.443 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SUBJECT_FUZZY_TION=0.156]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OLLsdZJh3OLk for <pntaw@ietfa.amsl.com>; Sun, 22 Sep 2013 23:47:07 -0700 (PDT)
Received: from mail-pb0-x229.google.com (mail-pb0-x229.google.com [IPv6:2607:f8b0:400e:c01::229]) by ietfa.amsl.com (Postfix) with ESMTP id 9916C11E819A for <pntaw@ietf.org>; Sun, 22 Sep 2013 23:47:07 -0700 (PDT)
Received: by mail-pb0-f41.google.com with SMTP id rp2so2842375pbb.28 for <pntaw@ietf.org>; Sun, 22 Sep 2013 23:47:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=AsKyM08W8Vy2QXg6J+rwSVJ/NCUmDIh63N7bIeSelNc=; b=Q0dLf7PrXudHMmOI/DK19GkbcsrwFVMx7+y4Gp/Cwbw56Em8gMKGCPZ4WNni5P/bgo YTALehrlawPMtgj9iVK5ITsHdf9d+QzEa+9l6eCNEj449zyakejXe8d2gla/41siRv0D 8n0/igChigHMgkiL5MwJe+JZLqCUArElpCZkC4AaJSs6253fWA1lChPFyezVGZECkoOh addooD2WZKXCrO5g0ZYc4M5BVS/cEpAWI467MLEkqylPdPqNUgUNxmAQmmKrE13FhrmP Q+aH3/0Rwojx4TRr+UYwa1KJSF7lCmcfkz5A0vILihKv63Bnz8z2bLfVu2jjptalbgrA gjng==
X-Received: by 10.66.19.137 with SMTP id f9mr1818579pae.138.1379918827234; Sun, 22 Sep 2013 23:47:07 -0700 (PDT)
Received: from spandex.local (63-140-98-62.dynamic.dsl.acsalaska.net. [63.140.98.62]) by mx.google.com with ESMTPSA id qf7sm35816828pac.14.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 22 Sep 2013 23:47:06 -0700 (PDT)
Message-ID: <523FE3E7.3060101@gmail.com>
Date: Sun, 22 Sep 2013 22:47:03 -0800
From: Melinda Shore <melinda.shore@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Oleg Moskalenko <mom040267@gmail.com>
References: <9F33F40F6F2CD847824537F3C4E37DDF17BCF3A5@MCHP04MSX.global-ad.net> <523CCD06.3030902@gmail.com> <BLU169-W136A55AC013DA147313576D93220@phx.gbl> <523CD42E.8070102@gmail.com> <BLU169-W82036280852F26ED26283C93230@phx.gbl> <523D4F17.2040202@gmail.com> <9F33F40F6F2CD847824537F3C4E37DDF17BD01A8@MCHP04MSX.global-ad.net> <CALDtMrL5pT3MfbQufCphEKq0-pXj+JcfwW__wzG3T6wZ=TuWhg@mail.gmail.com> <9F33F40F6F2CD847824537F3C4E37DDF17BD08EA@MCHP04MSX.global-ad.net> <CALDtMrLcUrxseyiaPc_0AWJw3HPdaBuAS+xpviT2q=y4zmdNgw@mail.gmail.com> <523FD5FD.8030601@gmail.com> <CALDtMrK=9D3qXXK6EeWF4RDk26GHPDgkYfQzdJpD33JNK_MeRw@mail.gmail.com>
In-Reply-To: <CALDtMrK=9D3qXXK6EeWF4RDk26GHPDgkYfQzdJpD33JNK_MeRw@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "pntaw@ietf.org" <pntaw@ietf.org>
Subject: Re: [pntaw] New version of draft-hutton-rtcweb-nat-firewall-considerations
X-BeenThere: pntaw@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN, and WebRTC" <pntaw.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pntaw>, <mailto:pntaw-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pntaw>
List-Post: <mailto:pntaw@ietf.org>
List-Help: <mailto:pntaw-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pntaw>, <mailto:pntaw-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Sep 2013 06:47:08 -0000

On 9/22/13 10:41 PM, Oleg Moskalenko wrote:
> Melinda, you are assuming that the policies are a precise accurate
> instrument that can be used to set the exact network access rules.
> 
> They are not. The reality is that the modern state of network policies
> is rather behind the real-world requirements.

My comfort level with telling people who run networks
that their network access management policies and technologies
are behind the times and because we know better then they
do about these things it's fine if we punch holes in their
firewalls without asking is not very high, to be honest.

At any rate I do think it's worth understanding (yes, I
used the "u" word) that you're using technologies that were
intended to address NAT problems for firewall traversal
and that there are some security issues that need closer
scrutiny, particularly the specifics of how you protect
against abuse by attackers.

Melinda

v2.23.0 | Report a Bug | By Email