IPP> Re: What is a Firewall? - Repeated contribution
Keith Moore <moore@cs.utk.edu> Sat, 04 July 1998 02:31 UTC
Delivery-Date: Fri, 03 Jul 1998 22:31:42 -0400
Return-Path: ipp-owner@pwg.org
Received: from cnri.reston.va.us (ns [132.151.1.1])
by ietf.org (8.8.5/8.8.7a) with ESMTP id WAA01497
for <ietf-archive@ietf.org>; Fri, 3 Jul 1998 22:31:41 -0400 (EDT)
Received: from lists.underscore.com (uscore-1.mv.com [199.125.85.30])
by cnri.reston.va.us (8.8.5/8.8.7a) with ESMTP id WAA26071
for <ietf-archive@cnri.reston.va.us>; Fri, 3 Jul 1998 22:34:02 -0400 (EDT)
Received: from localhost (daemon@localhost) by lists.underscore.com
(8.7.5/8.7.3) with SMTP id WAA22079 for <ietf-archive@cnri.reston.va.us>;
Fri, 3 Jul 1998 22:31:40 -0400 (EDT)
Received: by pwg.org (bulk_mailer v1.5); Fri, 3 Jul 1998 22:27:36 -0400
Received: (from daemon@localhost) by lists.underscore.com (8.7.5/8.7.3) id
WAA21419 for ipp-outgoing; Fri, 3 Jul 1998 22:17:31 -0400 (EDT)
Message-Id: <199807040217.WAA21909@spot.cs.utk.edu>
X-URI: http://www.cs.utk.edu/~moore/
From: Keith Moore <moore@cs.utk.edu>
To: Carl-Uno Manros <carl@manros.com>
cc: moore@cs.utk.edu, ipp@pwg.org, moore@cs.utk.edu
Subject: IPP> Re: What is a Firewall? - Repeated contribution
In-reply-to: Your message of "Fri, 03 Jul 1998 18:28:24 PDT."
<1.5.4.32.19980704012824.006819e0@pop3.holonet.net>
Date: Fri, 03 Jul 1998 22:17:15 -0400
Sender: owner-ipp@pwg.org
> Keith, > > As we still seem to be talking primarily about a firewall issue, or it least > it was in your earlier comment paper (now it seems that is suddenly become > a user issue), here is a reprint of a contribution from a from a few weeks > ago, which I am not sure that you ever saw. Yes, I saw it soon after you first posted it. The reason for using ipp: instead of http: is not to allow firewall filtering. Rather, it's implied by the use of a separate port for ipp, and the firewall argument is one of several reasons for a separate port. (There's also a lot of utility to be gained by using ipp:) As for the ability to filter on content, rather than port. Yes, firewalls do this. And many of them do it poorly. The higher on the stack that you try to do the filtering, the more complex the filter is, which increases the potential for errors or corruption of the data. It's also more difficult to configure the firewall to do the right thing. The last thing IESG and IAB want to do is to encourage more filtering at higher levels by failing to provide a way to distinguish at lower levels. Port numbers work just as well, are a lot simpler to get right, and we have 18 or so years experience with them. (more, if you count the experience with NCP that predated TCP) I have no doubt whatsoever that firewall vendors believe their products - no matter how complex they are - are the best things since sliced bread. But as a user I've fought too many battles with broken firewalls from major vendors, to have confidence in anything but the simplest ones. It's not that port blocking provides any security in a strong sense, but it does narrow down the number of vulnerabilities that you have to analyze. And while content-filtering could potentially work better, you end up buying a lot of complexity for marginal gain. > Maybe you want to share this contribution with your fellow IESG members? Tell you what. If you seriously want to argue to IESG that http: is the way to go, and if you're willing to incur the extra delay that will inevitably result, along with an extremely low chance of success, AND if you can get the backing of the working group to take this approach... then go right ahead. Set up a web page with your argument as to why things should be this way, and I'll pass it along to IESG. Or just send it to iesg@ietf.org. Keith
- IPP> What is a Firewall? - Repeated contribution Carl-Uno Manros
- IPP> Re: What is a Firewall? - Repeated contribut… Keith Moore