On 2012-01-07 06:03, Jared Mauch wrote: > On Jan 5, 2012, at 10:31 PM, Fernando Gont wrote: > >> On 01/05/2012 11:08 PM, Joel M. Halpern wrote: >>> Are we really prepared to say that there can be no new protocosl at the >>> Internet or Transport layer, ever again. Not even new extensions? >> I'm personally ready to admit that new transport protocols and new IPv4 >> options are hard to deploy. >> >> >>> I do not think most folks ahve that view. >>> But taht is the corrolary of the assumption that >>> a) things need to work through firewalls >> I don't have such assumption. Actually, I'm rather in the camp of what >> somebody wrote years ago "firewall-friendly protocols are really >> 'firewall-unfriendly', because they are designed to circumvent the >> policies specified by the firewall administrators". >> >> So I don't think that one should necessarily design protocols to work >> through firewalls. BUt at the same time one shouldn't be surprised if >> they don't. >> >> >>> b) that firewalls will and should block everything that they do not >>> understand. >> Well, firewalls generally enforce policies, and they generally try to >> allow the "good" stuff in, while keeping the "bad" stuff out, with the >> assumption that "good" is only that stuff that "I know and I need". >> >> When one wears the protocol-development hat, that's frustrating and >> ugly. When one wears the "security" hat, that's the obvious way to avoid >> trouble for stuff that you don't really need). >> >> As usual, it's also clear that taking things to the extreme is usually >> not a good idea. > > > I have to say, I'm certainly not as defeatist as Joel sounds, but I do > hear his concern. > > I do firmly believe we can't solve everyones broken network issues or > keep them from doing something wrong.
Somehow, it doesn't seem as if RFC 2979 is having much impact these days. It's definitely off-topic for this WG, but maybe it's time that the IETF faced up to firewalls in the same way that BEHAVE has faced up to NATs. Brian -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------