[rrg] [ILNP] Firewalls and good practices
Stephane Bortzmeyer <bortzmeyer@nic.fr> Sun, 08 July 2012 14:37 UTC
Return-Path: <bortzmeyer@nic.fr>
X-Original-To: rrg@ietfa.amsl.com
Delivered-To: rrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06CAE21F84E2 for <rrg@ietfa.amsl.com>; Sun, 8 Jul 2012 07:37:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.098
X-Spam-Level:
X-Spam-Status: No, score=-100.098 tagged_above=-999 required=5 tests=[AWL=-0.711, BAYES_40=-0.185, NO_RELAYS=-0.001, SARE_SUB_RAND_LETTRS4=0.799, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8LG9nLDaRmG2 for <rrg@ietfa.amsl.com>; Sun, 8 Jul 2012 07:37:51 -0700 (PDT)
Received: from mail.bortzmeyer.org (aetius.bortzmeyer.org [IPv6:2001:4b98:dc0:41:216:3eff:fece:1902]) by ietfa.amsl.com (Postfix) with ESMTP id E40AE21F8460 for <rrg@irtf.org>; Sun, 8 Jul 2012 07:37:50 -0700 (PDT)
Received: by mail.bortzmeyer.org (Postfix, from userid 10) id 10DA83B3F8; Sun, 8 Jul 2012 14:38:12 +0000 (UTC)
Received: by mail.sources.org (Postfix, from userid 1000) id 24CE61906A5; Sun, 8 Jul 2012 16:37:43 +0200 (CEST)
Date: Sun, 08 Jul 2012 16:37:43 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: rrg@irtf.org
Message-ID: <20120708143743.GA17630@sources.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Transport: UUCP rules
X-Operating-System: Debian GNU/Linux 6.0.5
User-Agent: Mutt/1.5.20 (2009-06-14)
Subject: [rrg] [ILNP] Firewalls and good practices
X-BeenThere: rrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IRTF Routing Research Group <rrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/rrg>, <mailto:rrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/rrg>
List-Post: <mailto:rrg@irtf.org>
List-Help: <mailto:rrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/rrg>, <mailto:rrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jul 2012 14:37:52 -0000
In <http://www0.cs.ucl.ac.uk/research/researchnotes/documents/RN_05_22.pdf>, you can read "The use of Identifiers enables firewalls to have access control rules that are based on identity, rather than address or location. This might permit a corporate IT security manager to give the CEO's laptop more privileges than a network-capable ID badge reader, for example." This claim is not reproduced in the current set of I-D and rightly so: because ILNP has no protection of the Identifier (such as ORCHID), it is easy to lie about your Identifier. So, what are the good practices for firewalls with ILNP? The current set of I-D does not mention it (may be it is too early). I would say that, since you can get *some* authentication of the Locator (BCP 38, returnability with protocols like TCP), filtering on the Locator may be a sensible idea while filtering on the Identifier is a very bad one. This would be consistent with the current practice. With Apache, when you write 'Allow from 2001:660:3003::/48', you say "Allow every machine which happens to be connected in this network". You authorize a localisation, not an identity. Do you think it would be a good addition in Security Considerations for future documents?
- [rrg] [ILNP] Firewalls and good practices Stephane Bortzmeyer
- [rrg] [ILNP] Firewalls and good practices RJ Atkinson