Hi Fernando, > -----Original Message----- > From: ipv6-boun...@ietf.org [mailto:ipv6-boun...@ietf.org] On > Behalf Of Fernando Gont > Sent: Thursday, January 05, 2012 7:32 PM > To: Joel M. Halpern > Cc: ipv6@ietf.org; Brian E Carpenter > Subject: To firewall or not to firewall (was: Re: > Fragmentation-related security issues) > > On 01/05/2012 11:08 PM, Joel M. Halpern wrote: > > Are we really prepared to say that there can be no new > protocosl at the > > Internet or Transport layer, ever again. Not even new extensions? > > I'm personally ready to admit that new transport protocols > and new IPv4 > options are hard to deploy.
SEAL at least does not require a new transport protocol nor new IP options in all of its manifestations, i.e., it can be embedded within TCP/UDP just fine. > > I do not think most folks ahve that view. > > But taht is the corrolary of the assumption that > > a) things need to work through firewalls > > I don't have such assumption. Actually, I'm rather in the camp of what > somebody wrote years ago "firewall-friendly protocols are really > 'firewall-unfriendly', because they are designed to circumvent the > policies specified by the firewall administrators". > > So I don't think that one should necessarily design protocols to work > through firewalls. BUt at the same time one shouldn't be surprised if > they don't. Some of these encapsulation approaches get around this by maintaining multiple candidate paths, and testing to find one or more of the candidates that are working. A candidate path that would traverse a blocking firewall would just be seen as a non-working path. Thanks - Fred fred.l.temp...@boeing.com > > b) that firewalls will and should block everything that they do not > > understand. > > Well, firewalls generally enforce policies, and they generally try to > allow the "good" stuff in, while keeping the "bad" stuff out, with the > assumption that "good" is only that stuff that "I know and I need". > > When one wears the protocol-development hat, that's frustrating and > ugly. When one wears the "security" hat, that's the obvious > way to avoid > trouble for stuff that you don't really need). > > As usual, it's also clear that taking things to the extreme is usually > not a good idea. > > Thanks, > -- > Fernando Gont > e-mail: ferna...@gont.com.ar || fg...@si6networks.com > PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 > > > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------