Re: [Fwd: [Saad] Some initiating thoughts...]

Melinda Shore <mshore@cisco.com> Wed, 22 October 2003 13:49 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA08590 for <saad-archive@odin.ietf.org>; Wed, 22 Oct 2003 09:49:24 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ACJMG-0004Dp-Rx for saad-archive@odin.ietf.org; Wed, 22 Oct 2003 09:49:05 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h9MDn4AU016223 for saad-archive@odin.ietf.org; Wed, 22 Oct 2003 09:49:04 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ACJMG-0004Da-M1 for saad-web-archive@optimus.ietf.org; Wed, 22 Oct 2003 09:49:04 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA08572 for <saad-web-archive@ietf.org>; Wed, 22 Oct 2003 09:48:53 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1ACJME-0005L5-00 for saad-web-archive@ietf.org; Wed, 22 Oct 2003 09:49:02 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1ACJME-0005L2-00 for saad-web-archive@ietf.org; Wed, 22 Oct 2003 09:49:02 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ACJMD-0004CG-Eo; Wed, 22 Oct 2003 09:49:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ACJLg-0003zc-UZ for saad@optimus.ietf.org; Wed, 22 Oct 2003 09:48:29 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA08512 for <saad@ietf.org>; Wed, 22 Oct 2003 09:48:17 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1ACJLe-0005K7-00 for saad@ietf.org; Wed, 22 Oct 2003 09:48:27 -0400
Received: from sj-iport-3-in.cisco.com ([171.71.176.72] helo=sj-iport-3.cisco.com) by ietf-mx with esmtp (Exim 4.12) id 1ACJLe-0005JG-00 for saad@ietf.org; Wed, 22 Oct 2003 09:48:26 -0400
Received: from cisco.com (171.71.177.237) by sj-iport-3.cisco.com with ESMTP; 22 Oct 2003 06:48:10 -0700
Received: from mira-sjc5-c.cisco.com (IDENT:mirapoint@mira-sjc5-c.cisco.com [171.71.163.17]) by sj-core-1.cisco.com (8.12.9/8.12.6) with ESMTP id h9MDlCjP017578; Wed, 22 Oct 2003 06:47:13 -0700 (PDT)
Received: from cisco.com (stealth-10-32-241-42.cisco.com [10.32.241.42]) by mira-sjc5-c.cisco.com (Mirapoint Messaging Server MOS 3.3.6-GR) with SMTP id ANK08053; Wed, 22 Oct 2003 06:47:09 -0700 (PDT)
Date: Wed, 22 Oct 2003 09:47:08 -0400
Subject: Re: [Fwd: [Saad] Some initiating thoughts...]
Content-Type: text/plain; charset=US-ASCII; format=flowed
Mime-Version: 1.0 (Apple Message framework v552)
Cc: Leslie Daigle <leslie@thinkingcat.com>, saad@ietf.org, M.Handley@cs.ucl.ac.uk
To: Erik Nordmark <Erik.Nordmark@sun.com>
From: Melinda Shore <mshore@cisco.com>
In-Reply-To: <Roam.SIMC.2.0.6.1066828862.4411.nordmark@bebop.france>
Message-Id: <3A7F56BE-0496-11D8-A84F-000A95E35274@cisco.com>
Content-Transfer-Encoding: 7bit
X-Mailer: Apple Mail (2.552)
Content-Transfer-Encoding: 7bit
Sender: saad-admin@ietf.org
Errors-To: saad-admin@ietf.org
X-BeenThere: saad@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/saad>, <mailto:saad-request@ietf.org?subject=unsubscribe>
List-Id: Scope Addressing Architecture Discussion <saad.ietf.org>
List-Post: <mailto:saad@ietf.org>
List-Help: <mailto:saad-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/saad>, <mailto:saad-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit

On Wednesday, October 22, 2003, at 09:21 AM, Erik Nordmark wrote:
> My gut feel is that the underlying issue is that firewall/filtering
> configuration is complex and error prone and that there is a question
> on the table how we can make this easier. For instance, are there 
> architectural
> modifications that can improve the situation?

There are a lot of different questions there, actually,
and I think they tend to have different answers.  Firewall
configuration, for example, is not the same question
as firewall policy expression.   In practice it turns out
that it's an enormous problem that the policy language
we're currently using to express firewall (or border access)
rules is incredibly crude.  Port numbers and transport
protocols are used to describe applications, and addresses
are used to describe policy domains.  There are obvious
limitations to what can actually be achieved using 5-tuples
as policy tags, and consequently firewall vendors have
implemented stateful inspection of data streams to make sure,
for example, that the stuff passing through on port 80
is actually html.  And because they need to inspect data
to make sure that firewall policy isn't being contraverted,
they disallow encrypted traffic, which in turn means that
security practice is being substantially undermined.

So there's a considerable ripple effect created when
a policy function is overloaded on addresses.  Presumably
this could be mitigated through the use of more refined
policy language and a somewhat different enforcement architecture,
but that would introduce different architectural problems as
yet pretty much undiscussed.

Melinda


_______________________________________________
Saad mailing list
Saad@ietf.org
https://www1.ietf.org/mailman/listinfo/saad