On Wed, 19 Feb 2014, Fernando Gont wrote:
Thoughts?
When I read this document, it feels very much like requirements for an enterprise style firewall. This is not defined in the document, but it just says "firewall". I believe the requirements for a host based firewall, a residential CPE based firewall, and a full-blown enterprise firewall are quite different (considering the amount of complexity both in implementation and configuration required).
So while I think this is a worthwhile document for enterprise firewalls, I think it should be clearly stated that this is the indended application.
I read some ND validation requirements, which then reminded me that some people run firewalls in L2 mode, and some run in L3 mode. The requirements for these deployment scenarios are different, and the document should probably reflect that.
Another requirement that would be beneficial, is that the firewall warns the operator if a policy is to be applied that violates RFC 4890, for instance paragraph 4.3.1. This would mean fewer firewall admins would hopefully filter essential ICMPv6 packets.
-- Mikael Abrahamsson email: swm...@swm.pp.se _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec
