Melinda, Thank you very much for explaining the intent of the draft. I find the rule categories described by Section 4 and 5 are very useful. As you mentioned the possibility of I2NSF WG to be created, I think the Section 4&5 provides a good design consideration for the types of rules to FW.
As the line between today's FW and IPS are getting blurred, those rules can apply to IPS/IDS as well. Linda -----Original Message----- From: OPSAWG [mailto:[email protected]] On Behalf Of Melinda Shore Sent: Thursday, September 17, 2015 4:49 PM To: [email protected] Subject: Re: [OPSAWG] [OPSEC] "On Firewalls in Internet Security" (Fwd: New Version Notification for draft-gont-opsawg-firewalls-analysis-00.txt) On 9/16/15 9:10 PM, Panos Kampanakis (pkampana) wrote: > Also I am not sure about what the "bickering on the topic" refers to. At one time this was an opsawg deliverable but was dropped because of the inability to come to consensus on some basic questions about the document, including the question of what problem it's intended to solve. I don't particularly look forward to another slugfest or the inevitable involvement of ideologues. That said, I do think there's value in such a document, for several reasons. One is that over the years there have been a number of efforts to abstract firewall behavior as input to the design of IETF protocols. It's a challenge because firewall behavior does tend to be highly vendor-specific, and we've published several specifications that try to do it (nsis's NAT and firewall layer, midcom, etc.). It would be (and would have been useful) to have a document describing where we can reasonably expect to have firewalls in the network and what we can reasonably expect from their behavior, to be able to make better protocol design decisions. Note that this is distinct from a document making deployment recommendations (or at least explicit ones). I also think that there's value in reasoning about architecture, and publishing a document describing that reasoning. I suspect that having it come from the IAB might reduce some of the friction in moving the document along, but it might not reduce it enough. But it's quite clear to me that because nearly any discussion related to middleboxes has erupted into ideological warfare we've been hampered in producing particularly thoughtful architectural work on what it means to have them in the network, instead knocking out stopgap workaround protocols here and there, and that's unfortunate. This should particularly be a concern given the possibility that i2nsf is going to be chartered, where there will be some serious issues around trust, authority, and delegation. It very likely would have been useful to have this document as those discussions progressed. That said, I expect that if this is adopted again by opsawg, it will not be a fun ride. But it might be worthwhile to do it anyway. Melinda _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
