On Fri, Mar 22, 2024 at 9:12 AM Robinson, Herbie <[email protected]> wrote: > > > Whether something is "legitimate" is a matter of opinion, protocol > > conformance typically is not. > > In the real world, protocol conformance involves how people interpret the > specs (which have historically been quite loose) and what developers of > things like firewalls have to do to keep real world threats from making the > Internet totally useless. What seems to be happening is things that are > necessary get done while adhering to the developers best efforts to adhere to > the specs and real world utilization. Eventually, what really happens is > things which are necessary enough to be widely used (like firewalls) dictate > what the specs didn't say when the firewalls were designed. > > > For applications and hosts firewalls are not all necessary to do their job > > and > > have created way more problems for developers than they solve. > > Umm, are you really trying to claim that firewalls are not necessary?
Herbie, Yes, I'm saying that. I know this is true because whenever I connect to WIFI at the local coffee shop or the airport I get no indication that the network is even running a firewall, much less any guarantee that their running a firewall that's well maintained, that the devices are up to date with latest vendor patches, or that they have a reasonable and sufficient security policy. I rely solely on my application and host OS which I can control for security, malware detection, virus scanning, etc. So some anonymous firewall that thinks they can protect me better is more likely to cause problems or reduce my security (like if they don't forward my IPsec or QUIC packets because the firewall thinks that hiding data from them is insecure). If there was some real standard for firewalls that had broad conformance, ubiquitous deployment, and consistent policies then I might think differently-- but until that happens I believe firewalls are more part of the problem than the solution. Tom > If it wasn't for firewalls, the Internet would be pretty much useless. I > wish that were not so, but... > > > In fact, in the 6man meeting the other day someone pointed out that the > > effect of NAT has been to move the problems and complexity out of the > > network into the host and application-- as a host developer I can say that > > this > > statement is spot on. > > NAT is a red herring -- it's not the only reason firewalls need to look at > ports to do their job. Then again, NAT It is a really good argument for not > enhancing IPv4 (so that NAT will go away). > > BTW, I am a host developer and protocol stack maintainer. I see this as a > huge amount of work to implement something no-one will be able to use for 2-3 > decades. Especially when it's all available via IPv6, now. > > > Right, and this is exactly what drives use to limit packets on the Internet > > to > > perpetually use the least common denominator of support in the network. > > The result is an ossified Internet that we can no longer > > evolve-- IMO that's not a good thing! > > And how does defining something no-one will be able to use for two or three > decades solve that problem -- better than IPv6 which already has a 2 decade > head start? _______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
