Hi, Mikael, Thanks so much for your feedback! Please find my comments in-line...
On 02/19/2014 06:37 PM, Mikael Abrahamsson wrote: > > When I read this document, it feels very much like requirements for an > enterprise style firewall. This is not defined in the document, but it > just says "firewall". I believe the requirements for a host based > firewall, a residential CPE based firewall, and a full-blown enterprise > firewall are quite different (considering the amount of complexity both > in implementation and configuration required). > > So while I think this is a worthwhile document for enterprise firewalls, > I think it should be clearly stated that this is the indended application. This is a really good point. Thanks for raising it! We will try to make this point clear in the next rev. > I read some ND validation requirements, which then reminded me that some > people run firewalls in L2 mode, and some run in L3 mode. The > requirements for these deployment scenarios are different, and the > document should probably reflect that. Agreed. > Another requirement that would be beneficial, is that the firewall warns > the operator if a policy is to be applied that violates RFC 4890, for > instance paragraph 4.3.1. This would mean fewer firewall admins would > hopefully filter essential ICMPv6 packets. Not sure if compliance of firewall rules with the whole RFC4890 might be "too much". For instance, if you filter ND packets, you'll find it very easily. Probably the one that'd be worth warning is filtering ICMPv6 PTB.... Thanks so much! Cheers, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec
