Purpose of ALD (was Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03)
james woodyatt <jhw@apple.com> Wed, 27 August 2008 22:12 UTC
Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 24BA13A6AB8 for <ietfarch-v6ops-archive@core3.amsl.com>; Wed, 27 Aug 2008 15:12:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.495
X-Spam-Level:
X-Spam-Status: No, score=-104.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P+Ksky8JwQSw for <ietfarch-v6ops-archive@core3.amsl.com>; Wed, 27 Aug 2008 15:12:19 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 2945B3A6A75 for <v6ops-archive@lists.ietf.org>; Wed, 27 Aug 2008 15:12:19 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1KYTDS-0002DM-CS for v6ops-data@psg.com; Wed, 27 Aug 2008 22:10:14 +0000
Received: from [17.254.13.22] (helo=mail-out3.apple.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <jhw@apple.com>) id 1KYTDO-0002Cm-NH for v6ops@ops.ietf.org; Wed, 27 Aug 2008 22:10:12 +0000
Received: from relay14.apple.com (relay14.apple.com [17.128.113.52]) by mail-out3.apple.com (Postfix) with ESMTP id 46EAD3887FD0 for <v6ops@ops.ietf.org>; Wed, 27 Aug 2008 15:10:10 -0700 (PDT)
Received: from relay14.apple.com (unknown [127.0.0.1]) by relay14.apple.com (Symantec Mail Security) with ESMTP id 2C76C2808C for <v6ops@ops.ietf.org>; Wed, 27 Aug 2008 15:10:10 -0700 (PDT)
X-AuditID: 11807134-a755ebb000000ece-1b-48b5d0c2082f
Received: from il0602f-dhcp90.apple.com (il0602f-dhcp90.apple.com [17.206.50.90]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay14.apple.com (Apple SCV relay) with ESMTP id 0B48A28088 for <v6ops@ops.ietf.org>; Wed, 27 Aug 2008 15:10:10 -0700 (PDT)
Message-Id: <19C3AEFF-1D59-4D48-AD2D-0A3A89D2C0F2@apple.com>
From: james woodyatt <jhw@apple.com>
To: IPv6 Operations <v6ops@ops.ietf.org>
In-Reply-To: <05cb01c9087e$c40d0960$c2f0200a@cisco.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v928.1)
Subject: Purpose of ALD (was Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03)
Date: Wed, 27 Aug 2008 15:10:09 -0700
References: <20080824204553.08131c65.ipng@69706e6720323030352d30312d31340a.nosense.org> <48B1CCE8.1070305@gmail.com> <01af01c9065b$b4602440$c2f0200a@cisco.com> <48B23391.1090503@gmail.com> <01cd01c90672$a57c8790$c2f0200a@cisco.com> <48B31DA3.6080001@gmail.com> <07d201c906f7$50a85e30$c2f0200a@cisco.com> <48B32B43.5010103@gmail.com> <084c01c906fe$f9bf1840$c2f0200a@cisco.com> <48B33430.40704@gmail.com> <08b901c90710$4064aa60$c2f0200a@cisco.com> <48B354FA.7040601@gmail.com> <48B50B10.9090005@free.fr> <15ECFC5E-7734-44ED-A652-7EFC795E6A39@apple.com> <05cb01c9087e$c40d0960$c2f0200a@cisco.com>
X-Mailer: Apple Mail (2.928.1)
X-Brightmail-Tracker: AAAAAA==
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>
On Aug 27, 2008, at 12:54, Dan Wing wrote: > [I wrote:] >> >> I must chime in here and repeat for the record that ALD is most >> emphatically NOT a protocol for enabling hosts to control filtering >> devices. I took Great Pains to specify it as a protocol for >> filtering devices to learn about interior applications that are >> soliciting inbound traffic from arbitrary exterior nodes regardless >> of their remote address. >> >> Please please please I am VERY resistant to positioning ALD as a >> method for nodes to use in "controlling" firewall devices. > > Er, it seems the same to me. Are you just saying that the interior > host is not necessarily *overriding* the filtering device's rules? > If that's what you're saying, I agree, and I think that's fine. I'm actually making a somewhat stronger statement. I'm saying that the Purpose of ALD is *NOT* for interior nodes to control their corresponding states in filtering middleboxes, but rather for middleboxes to learn about state at interior nodes relevant for network filtering. The design of ALD is a reflection of this statement of purpose, which is why it defines no mechanism for informing endpoint nodes whether and/or why not filtering rules have changed as a result of the notifications they send. I don't mean to sound like I'm picking nits, but I really do think it's a big mistake to formulate the problem statement around a perceived need for endpoint nodes to "control" the state of middleboxes. I contend there is no such need. There is only a need for filtering middleboxes to be better aware of endpoint state so that they do not intrude on network transparency unnecessarily, i.e. when security policy does not require it. -- james woodyatt <jhw@apple.com> member of technical staff, communications engineering
- Fwd: Some suggestions for draft-ietf-v6ops-cpe-si… Fred Baker
- Some suggestions for draft-ietf-v6ops-cpe-simple-… Mark Smith
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Brian E Carpenter
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Brian E Carpenter
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Mark Smith
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… EricLKlein
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Brian E Carpenter
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Brian E Carpenter
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Brian E Carpenter
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Truman Boyes
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Brian E Carpenter
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Gert Doering
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Rémi Després
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Rémi Després
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Gert Doering
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Rémi Denis-Courmont
- But are we talking IPv6 only? That's how I read t… Mark Smith
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… teemu.savolainen
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Rémi Després
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Rémi Denis-Courmont
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Rémi Denis-Courmont
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- RE: But are we talking IPv6 only? That's how I re… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… james woodyatt
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… james woodyatt
- Re: But are we talking IPv6 only? That's how I re… james woodyatt
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: But are we talking IPv6 only? That's how I re… Mark Smith
- Purpose of ALD (was Re: Some suggestions for draf… james woodyatt
- Re: But are we talking IPv6 only? That's how I re… james woodyatt
- RE: Purpose of ALD (was Re: Some suggestions for … Dan Wing
- RE: But are we talking IPv6 only? That's how I re… Dan Wing
- Re: But are we talking IPv6 only? That's how I re… james woodyatt
- RE: But are we talking IPv6 only? That's how I re… Dan Wing
- Re: But are we talking IPv6 only? That's how I re… Rémi Denis-Courmont
- RE: But are we talking IPv6 only? That's how I re… Templin, Fred L
- RE: But are we talking IPv6 only? That's how I re… Dan Wing
- RE: But are we talking IPv6 only? That's how I re… Templin, Fred L
- Re: But are we talking IPv6 only? That's how I re… james woodyatt
- RE: But are we talking IPv6 only? That's how I re… Templin, Fred L
- Re: But are we talking IPv6 only? That's how I re… james woodyatt
- RE: But are we talking IPv6 only? That's how I re… Templin, Fred L
- Re: But are we talking IPv6 only? That's how I re… Rémi Després
- RE: But are we talking IPv6 only? That's how I re… Dan Wing
- RE: But are we talking IPv6 only? That's how I re… Templin, Fred L
- Re: But are we talking IPv6 only? That's how I re… Rémi Després
- RE: But are we talking IPv6 only? That's how I re… Templin, Fred L
- RE: But are we talking IPv6 only? That's how I re… Dan Wing
- Re: But are we talking IPv6 only? That's how I re… Mark Smith
- Re: But are we talking IPv6 only? That's how I re… Mark Smith
- Re: tunnel protocols (draft-ietf-v6ops-cpe-simple… james woodyatt