On Mon, May 22, 2023 at 12:29 PM Fernando Gont <[email protected]> wrote: > > Hi, David, > > On 22/5/23 18:05, David Farmer wrote: > [...] > > > > I think that many of us are still reeling from default configuration of > > certain "firewalls" that banks seemed like, which dropped packets > > containing > > ECN, and TCP options, and made it very very difficult to deploy new > > things. > > Even when at the IETF standards level... (so "innovation with > > permission") > > > > > > So, I think we need "permissionless innovation" at the Internet level. > > Nevertheless, that doesn't mean "innovation with permission" isn't > > appropriate in some or even many situations. For example, in a situation > > involving public safety, like a nuclear reactor or a missile control > > system. We can all agree that "permissionless innovation" isn't > > necessarily appropriate in situations like these. > > For the Security guy, the "nuclear reactor" is the infrastructure that, > if compromised or DoS, causes clients to complain, money to be lost, and > eventually, staff to be fired. >
Fernando, That's the viewpoint for a Network Security guy, but as a Host Security guy, network policy ostensibly put in place to protect the host is irrelevant. The reason should be obvious, unless there was a network security policy consistently implemented across all networks, we, host developers and application developers, can't count on it and it really doesn't help securing the host. In fact it's more likely that these inconsistent policies are counter productive since we have to insert hacks to try to work around network secure policies which themselves could create issues (for instance, think about the hacks we need to do to try to keep an anonymous stateful firewall in the path from arbitrarily evicting our connection from its cache). Tom > Yes, I love to play with EHs.... in a lab. :-) > > Thanks, > -- > Fernando Gont > e-mail: [email protected] > PGP Fingerprint: 7F7F 686D 8AC9 3319 EEAD C1C8 D1D5 4B94 E301 6F01 > > _______________________________________________ > v6ops mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/v6ops _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
