Re: [Fwd: [Saad] Some initiating thoughts...]
Melinda Shore <mshore@cisco.com> Wed, 22 October 2003 13:49 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA08590 for <saad-archive@odin.ietf.org>; Wed, 22 Oct 2003 09:49:24 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ACJMG-0004Dp-Rx for saad-archive@odin.ietf.org; Wed, 22 Oct 2003 09:49:05 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h9MDn4AU016223 for saad-archive@odin.ietf.org; Wed, 22 Oct 2003 09:49:04 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ACJMG-0004Da-M1 for saad-web-archive@optimus.ietf.org; Wed, 22 Oct 2003 09:49:04 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA08572 for <saad-web-archive@ietf.org>; Wed, 22 Oct 2003 09:48:53 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1ACJME-0005L5-00 for saad-web-archive@ietf.org; Wed, 22 Oct 2003 09:49:02 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1ACJME-0005L2-00 for saad-web-archive@ietf.org; Wed, 22 Oct 2003 09:49:02 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ACJMD-0004CG-Eo; Wed, 22 Oct 2003 09:49:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ACJLg-0003zc-UZ for saad@optimus.ietf.org; Wed, 22 Oct 2003 09:48:29 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA08512 for <saad@ietf.org>; Wed, 22 Oct 2003 09:48:17 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1ACJLe-0005K7-00 for saad@ietf.org; Wed, 22 Oct 2003 09:48:27 -0400
Received: from sj-iport-3-in.cisco.com ([171.71.176.72] helo=sj-iport-3.cisco.com) by ietf-mx with esmtp (Exim 4.12) id 1ACJLe-0005JG-00 for saad@ietf.org; Wed, 22 Oct 2003 09:48:26 -0400
Received: from cisco.com (171.71.177.237) by sj-iport-3.cisco.com with ESMTP; 22 Oct 2003 06:48:10 -0700
Received: from mira-sjc5-c.cisco.com (IDENT:mirapoint@mira-sjc5-c.cisco.com [171.71.163.17]) by sj-core-1.cisco.com (8.12.9/8.12.6) with ESMTP id h9MDlCjP017578; Wed, 22 Oct 2003 06:47:13 -0700 (PDT)
Received: from cisco.com (stealth-10-32-241-42.cisco.com [10.32.241.42]) by mira-sjc5-c.cisco.com (Mirapoint Messaging Server MOS 3.3.6-GR) with SMTP id ANK08053; Wed, 22 Oct 2003 06:47:09 -0700 (PDT)
Date: Wed, 22 Oct 2003 09:47:08 -0400
Subject: Re: [Fwd: [Saad] Some initiating thoughts...]
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Mime-Version: 1.0 (Apple Message framework v552)
Cc: Leslie Daigle <leslie@thinkingcat.com>, saad@ietf.org, M.Handley@cs.ucl.ac.uk
To: Erik Nordmark <Erik.Nordmark@sun.com>
From: Melinda Shore <mshore@cisco.com>
In-Reply-To: <Roam.SIMC.2.0.6.1066828862.4411.nordmark@bebop.france>
Message-Id: <3A7F56BE-0496-11D8-A84F-000A95E35274@cisco.com>
Content-Transfer-Encoding: 7bit
X-Mailer: Apple Mail (2.552)
Content-Transfer-Encoding: 7bit
Sender: saad-admin@ietf.org
Errors-To: saad-admin@ietf.org
X-BeenThere: saad@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/saad>, <mailto:saad-request@ietf.org?subject=unsubscribe>
List-Id: Scope Addressing Architecture Discussion <saad.ietf.org>
List-Post: <mailto:saad@ietf.org>
List-Help: <mailto:saad-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/saad>, <mailto:saad-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
On Wednesday, October 22, 2003, at 09:21 AM, Erik Nordmark wrote: > My gut feel is that the underlying issue is that firewall/filtering > configuration is complex and error prone and that there is a question > on the table how we can make this easier. For instance, are there > architectural > modifications that can improve the situation? There are a lot of different questions there, actually, and I think they tend to have different answers. Firewall configuration, for example, is not the same question as firewall policy expression. In practice it turns out that it's an enormous problem that the policy language we're currently using to express firewall (or border access) rules is incredibly crude. Port numbers and transport protocols are used to describe applications, and addresses are used to describe policy domains. There are obvious limitations to what can actually be achieved using 5-tuples as policy tags, and consequently firewall vendors have implemented stateful inspection of data streams to make sure, for example, that the stuff passing through on port 80 is actually html. And because they need to inspect data to make sure that firewall policy isn't being contraverted, they disallow encrypted traffic, which in turn means that security practice is being substantially undermined. So there's a considerable ripple effect created when a policy function is overloaded on addresses. Presumably this could be mitigated through the use of more refined policy language and a somewhat different enforcement architecture, but that would introduce different architectural problems as yet pretty much undiscussed. Melinda _______________________________________________ Saad mailing list Saad@ietf.org https://www1.ietf.org/mailman/listinfo/saad
- [Saad] Some initiating thoughts... Leslie Daigle
- [Fwd: [Saad] Some initiating thoughts...] Leslie Daigle
- RE: [Fwd: [Saad] Some initiating thoughts...] Michel Py
- Re: [Fwd: [Saad] Some initiating thoughts...] J. Noel Chiappa
- Re: [Fwd: [Saad] Some initiating thoughts...] Erik Nordmark
- Re: [Fwd: [Saad] Some initiating thoughts...] Melinda Shore
- Re: [Fwd: [Saad] Some initiating thoughts...] James Kempf
- Re: [Fwd: [Saad] Some initiating thoughts...] Erik Nordmark
- RE: [Fwd: [Saad] Some initiating thoughts...] Harrington, David
- Re: [Fwd: [Saad] Some initiating thoughts...] Melinda Shore
- RE: [Fwd: [Saad] Some initiating thoughts...] Erik Nordmark
- Re: [Fwd: [Saad] Some initiating thoughts...] Pekka Savola
- Re: [Fwd: [Saad] Some initiating thoughts...] Brian E Carpenter
- RE: [Fwd: [Saad] Some initiating thoughts...] Harrington, David
- Re: [Fwd: [Saad] Some initiating thoughts...] Brian E Carpenter