Hi, Brian, Thanks so much for your feedback! Please find my comments in-line...
On 10/18/2015 11:52 PM, Brian E Carpenter wrote: > Hmm. I've finally made time to read this draft, to find out what the > fuss is about... > > Firstly, I have to find a polite way of saying... well, I can't, so > here it is: delete the Introduction and try again. I think the present > text is guaranteed to annoy just about everybody, and evidently it will > not "end the bickering." Point taken. The intro will be replaced. While we're past the I-D submission cutoff, I'll craft replacing text and post it here for review. > (I gave my own potted history of security in the IETF in the plenary > at IETF 88, slides 2-4.) Thanks for the pointer. I will go through it. > Then, I can see 12 RFCs in the index whose titles include the word 'firewall' > and that only scratches the surface; there are literally hundreds of > references > to firewalls in existing RFCs. IMHO, if this draft aims to survey the field, > it needs to survey the IETF and non-IETF literature much better (perhaps as > an appendix). Will do. > Overall, this draft seems to me to be an opinion piece. That's fine of course, > everyone is entitled to state their opinion, but I'm not sure that it helps > the IETF to know what to do next. It reads more like a CCR editorial article > or an Independent Submission RFC. Among other things, I think it is useful in implicitly noting areas where further work is needed. > To some more specific comments: > > Section 4.1 seems to increase rather than decrease the popular confusion > between firewall functions and NAT functions. I would prefer to see > NAT described in a separate section *as a side issue*. NAT failure modes > are not the same as firewall failure modes. I think that people confuse NAT device vs. NAT functionality. A NAT device enforces, as a side effect, a diode-firewall (only allow return traffic) functionality. Address Translation itself has nothing to do with firewalling, but the side a effect does. That said, we'll move the NAT stuff to a separate section. Other folks seem to share your opinion, too. > Section 4.3 cites draft-vyncke-advanced-ipv6-security, which is very dead > as far as I can tell. I don't think we should be citing dead work > in a current IETF draft. Point taken. Although they might revise soon -- we'll remove or keep it based on what they do about it. Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg