On 2012-01-07 06:03, Jared Mauch wrote:
> On Jan 5, 2012, at 10:31 PM, Fernando Gont wrote:
>
>> On 01/05/2012 11:08 PM, Joel M. Halpern wrote:
>>> Are we really prepared to say that there can be no new protocosl at the
>>> Internet or Transport layer, ever again. Not even new extensions?
>> I'm personally ready to admit that new transport protocols and new IPv4
>> options are hard to deploy.
>>
>>
>>> I do not think most folks ahve that view.
>>> But taht is the corrolary of the assumption that
>>> a) things need to work through firewalls
>> I don't have such assumption. Actually, I'm rather in the camp of what
>> somebody wrote years ago "firewall-friendly protocols are really
>> 'firewall-unfriendly', because they are designed to circumvent the
>> policies specified by the firewall administrators".
>>
>> So I don't think that one should necessarily design protocols to work
>> through firewalls. BUt at the same time one shouldn't be surprised if
>> they don't.
>>
>>
>>> b) that firewalls will and should block everything that they do not
>>> understand.
>> Well, firewalls generally enforce policies, and they generally try to
>> allow the "good" stuff in, while keeping the "bad" stuff out, with the
>> assumption that "good" is only that stuff that "I know and I need".
>>
>> When one wears the protocol-development hat, that's frustrating and
>> ugly. When one wears the "security" hat, that's the obvious way to avoid
>> trouble for stuff that you don't really need).
>>
>> As usual, it's also clear that taking things to the extreme is usually
>> not a good idea.
>
>
> I have to say, I'm certainly not as defeatist as Joel sounds, but I do
> hear his concern.
>
> I do firmly believe we can't solve everyones broken network issues or
> keep them from doing something wrong.
Somehow, it doesn't seem as if RFC 2979 is having much impact these days.
It's definitely off-topic for this WG, but maybe it's time that the IETF
faced up to firewalls in the same way that BEHAVE has faced up to NATs.
Brian
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
