firewalling points

[Pekka Savola <pekkas@netcore.fi>]

Hello,

As there was no time for this in the meeting, I'd really like to hear 
thoughts from the wg on my firewalling considerations draft 
(draft-savola-v6ops-firewalling-00.txt).

Below is the core of the presentation.

To re-iterate, I'd really like to hear thoughts:

 * Are these real problems?
 * If yes, do we have to do something?

If we agree on those, the rest should follow.

====
Issues
	RFC2460 ambiguity
		intermediate nodes must not process packets
		but in practise, they do -- what to do with e.g. 
                   unknown headers?
	Extension Header chain parsing
		if an unknown header encountered when looking for e.g. 
                   TCP/UDP headers, big problems
	Unknown Destination Options and security policy
		strict firewalls may disallow dstopts they don't recognize
	Firewalls and E2E ESP IPSEC
		can't apply security policy, must trust end-nodes
		could end up disallowed by default?
	Firewalls and Peer-to-Peer Apps
		how to allow in a controlled fashion?

Steps forward / What to Do?
	Do we have to do something?
		is a clarification wrt. processing required?
		is the restriction about new extension headers ok?
		how to deal with e2e IPSEC so that it's not disallowed?
		how to be able to manage p2p apps without compromising security?
		etc.
	If so, what?
		would it be useful to have this as a w.g. document and 
                   push for Informational?
		interaction with ipv6 wg on specification parts?
		solutions to bigger problems like ESP IPSEC or P2P must 
                   be developed individually
	Other thoughts?
====

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords