Re: CPE equipments and stateful filters

[Brian E Carpenter <brian.e.carpenter@gmail.com>]

On 2007-07-24 19:31, Jun-ichiro itojun Hagino wrote:

> > > > 	but i suggest that we need to be REAL careful about the default
> > > > 	settings.
> > > I agree. But the market reality (and we heard it explicitly from a
> > > well known CPE vendor at the microphone) is that they will not sell
> > > $50 consumer gateways that allow incoming unsolicited SYN or UDP
> > > by default. We need to make realistic recommendations in that context.
> > Hm, but another vendor, better known for other stuff, but also  
> > selling fine CPEs, presented a draft, and he told us that one of the  
> > reasons they decided to flip their default from no filtering to  
> > rejecting incoming sessions is that the IETF has consensus that this  
> > is the best approach.
>
> 	i do not remember seeing IETF consensus on this matter.

In fact RFC 4864 is an informational document that does not
use RFC 2119 keywords, and its scope is very clear (see
the Abstract): a description of how a site can obtain the
claimed benefits of NAT without using a NAT. Among other things,
iff you want stateful firewalling, RFC 4864 shows that you don't
need a NAT to obtain it.

That is orthogonal to the question of whether stateful firewalling
is a good thing.

I think we should write the CPE document in the same spirit - if
you want a stateful firewall in your CPE, here is what it should do.
(And I have no doubt we can learn from BEHAVE.)

    Brian