Another interesting scenario where part of a delegated is interested or required to be firewalled while others not. I do not think we are limited ourselves. I think advanced users will still have the ability to do as they please and we are making sure not so advanced are not unknowingly exposed.
As I mentioned earlier, I think there may be an opportunity for some protocol development in this space. John On 8/2/11 9:20 PM, "Shane Amante" <[email protected]> wrote: > >On Aug 2, 2011, at 5:08 PM, Brzozowski, John wrote: >> On 8/2/11 8:28 AM, "Keith Moore" <[email protected]> wrote: >>> On Aug 2, 2011, at 4:22 AM, Philip Homburg wrote: >>> >>>> How do you construct a router such that the router always knows what >>>>it >>>> has to do, or at least is in some sense fail-safe? >>> >>> The idea that a firewall should automatically know what "it has to do" >>> strikes me as utterly bizarre. I realize that there's a desire to >>> minimize the configuration burden for unsophisticated users (and agree >>> with that), but the idea that the firewall knows better than the user >>> what his security policy should be seems ridiculous. >> [jjmb] I agree Keith that having a firewall automatically know what to >>do >> is a tall order. I also think the is more than a desire to ease >> configuration burden, this is a must since most users on the Internet >>have >> very basic technical skills. > >So, I agree with this point, but are we constraining our thinking too >early? For example, if the assumption is there is a singular >CPE-router/FW that has been allocated a /56 from a provider, then: >- why couldn't the FW provide 'stateful firewall' service for the first >'covering' /60 of IPv6 prefixes (/64's) allocated within the house; >- but, the CPE-router/FW would /NOT/ provide stateful or stateless >firewall for the remaining 7/8's of address space allocated within the >house. > >Of course, just change the 'mask' lengths to represent whatever the WG >thinks are 'sensible' defaults. > >And, we'd need to decide if this is something a device in the home can >'dynamically' request from the CPE-router/FW via, say, DHCPv6 or if there >are better options ... > >-shane > > > > > >>> >>> A different idea is that the firewall always work in a very minimal >>>mode >>> by default (e.g. it passes no traffic, or maybe only outgoing port 80 >>> traffic, but its configuration interface is enabled for the internal >>> ports) so that the user must configure it in order to get it to do >>> anything useful. That way, the first thing a user learns about his >>> router/firewall is how to configure it. Then you want to focus on >>>making >>> the configuration interface easy to understand. (You also have to >>>figure >>> out how to keep the user from hooking up the internal port to the >>> external connection.) >> [jjmb] I said something similar to this is in an earlier email. To the >> start there should perhaps be a basic configuration that protects the >>user >> and allows the service to be usable. >>> >>> But these are user interface issues, not protocol issues. Perhaps >>> they're better addressed in homenet than here. >> [jjmb] I could image some protocol work that could ease the pain here, >>UI >> for sure could facilitate ease of use. >>> >>> Keith >>> >>> _______________________________________________ >>> v6ops mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/v6ops >> >> _______________________________________________ >> v6ops mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/v6ops > _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
