Hmm. I've finally made time to read this draft, to find out what the fuss is about...
Firstly, I have to find a polite way of saying... well, I can't, so here it is: delete the Introduction and try again. I think the present text is guaranteed to annoy just about everybody, and evidently it will not "end the bickering." (I gave my own potted history of security in the IETF in the plenary at IETF 88, slides 2-4.) Then, I can see 12 RFCs in the index whose titles include the word 'firewall' and that only scratches the surface; there are literally hundreds of references to firewalls in existing RFCs. IMHO, if this draft aims to survey the field, it needs to survey the IETF and non-IETF literature much better (perhaps as an appendix). Overall, this draft seems to me to be an opinion piece. That's fine of course, everyone is entitled to state their opinion, but I'm not sure that it helps the IETF to know what to do next. It reads more like a CCR editorial article or an Independent Submission RFC. To some more specific comments: Section 4.1 seems to increase rather than decrease the popular confusion between firewall functions and NAT functions. I would prefer to see NAT described in a separate section *as a side issue*. NAT failure modes are not the same as firewall failure modes. Section 4.3 cites draft-vyncke-advanced-ipv6-security, which is very dead as far as I can tell. I don't think we should be citing dead work in a current IETF draft. Regards Brian Carpenter _______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg
