(coffee != sleep) & (!coffee == sleep) [email protected]
> From: OPSEC [[email protected]] on behalf of Cb B > [[email protected]] > Sent: Tuesday, February 18, 2014 10:17 PM > To: Fernando Gont > Cc: [email protected] > Subject: Re: [OPSEC] IPv6 firewalls reqs: Rationale > > > On Tue, Feb 18, 2014 at 9:09 PM, Fernando Gont <[email protected]> > wrote: > > Folks, > > > > As noted in my previous email, this is a request to discuss the first > > item listed in my previous email: > > > > 1) Agree on a rationale to write this spec. > > > > For example, one possible rationale is "aim at providing parity of > > features with IPv4". Another one could be that "should should aim a > > little higher". For example, in the light of > > draft-farrell-perpass-attack we may aim at requiring some privacy > > features that might not be that common in IPv4 firewalls. > > > > > > Thoughts? At least parity but given what I have read so far I would say a bit higher. > > > > > Why would you look to a middle box to add privacy or any feature at all? That is a common expectation of middle boxes. That is why most people have firewalls, IPSes etc... > > AFAIK, "firewalls" are in a unique position to be a single point of > failure for confidentiality , availability , and integrit. Absolutely agree. But only when incorrectly managed. An UNMANAGED or user managed device is frequently ignored and frequently improperly managed leaving it open to all kinds of attacks. > > data point - > https://isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Summary+What+we+know+so+far/17633 Not a firewall:) > > Is there an IPv4 document that is similar in nature at the IETF? Tons :) But most were written w/o specifying ipv4. They were generally written from a ipv4 pov. http://www.ietf.org/rfc/rfc2979.txt http://www.ietf.org/rfc/rfc3093.txt http://tools.ietf.org/search/rfc3511 There is even a IPv6 "not quite firewall" rfc. https://tools.ietf.org/html/rfc6092 > Or > is spec'ing firewalls a novel thing that for some reason is only > relevant to IPv6 I think this work is valid and valuable but am not aware of a direct correlation in IPv4 rfcs. Many rfcs reference firewalls, talk to some of the issues etc... but I have never read a rfc for IPv4 that matches what Gont and company are trying to do here. > > CB > > > > Yours, > > -- > > Fernando Gont > > e-mail: [email protected] || [email protected] > > PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 > > > > > > > > _______________________________________________ > > OPSEC mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/opsec > > _______________________________________________ > OPSEC mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/opsec > _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
