Folks, Thanks for writing the aforementioned I-D. I recall reading previous versions of it, and I'm glad to see it has been adopted as a wg item of the opsawg.
Some comments: Section 1, states: > If two or more networks that are connected by > a single device, the perimeter is inside the device. Please remove "that". Section 1: > The ALG blocks some of the flows in the application protocol based > on policies such as "do not all traffic from this network" and "do > not allow the client to send a message of this type". s/do not all traffic from this network/do not all any traffic from this network/ ? Section 3.2 states: > Firewalls that understand IPv6 may have a fourth category: > > IV: Allow nearly all outside-initiated traffic. [[[ MORE HERE > about why this is considered a good idea by some and a bad idea by > others ]]]] You mean that some people do not do any filtering, or something else? Section 4 states: > Allow fragments > Except in specific protocols where layer 7 content filtering is > deemed crucial Is this IP-layer fragmentation any different than having to do TCP reassembly for doing layer-7 inspection? (.. and you cannot prevent the later). Also, please keep the recent v6ops discussion about "frag drop" in mind... Cheers, -- Fernando Gont e-mail: [email protected] || [email protected] PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
