[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CPE equipments and stateful filters

To: Fred Baker <fred@cisco.com>, Gert Doering <gert@Space.Net>
Subject: RE: CPE equipments and stateful filters
From: Christian Huitema <huitema@windows.microsoft.com>
Date: Fri, 27 Jul 2007 23:21:10 -0700
Cc: IPv6 Operations <v6ops@ops.ietf.org>
In-reply-to: <A2BF01DC-B9DE-47FD-B6E1-9E95B14458E7@cisco.com>
References: <20070723193610.70736233CB@coconut.itojun.org> <319C5A3B-939C-48BD-AF65-93E41F09406B@cisco.com> <200707241931.19400.rdenis@simphalempin.com> <884C56D2-F80F-43F4-91D9-B04A0DD7D484@cisco.com> <20070727180131.GA69215@Space.Net> <A2BF01DC-B9DE-47FD-B6E1-9E95B14458E7@cisco.com>

> Lets make one thing real clear. It is abundantly clear to the vendors
> in the room that there is a market for IPv6 CPEs with firewalls.

The market is based on supposed customer demand. Customer demand
evolves. You cite an obvious benefit, "hide my home network from my
ISP". But there is an equivalent cost, "prevent Skype from working
well". Or Bit Torrent, or whatever peer to peer application happens to
be popular. 

The choice is really between host firewalls and CPE firewalls. Both
achieve the "isolation" goal. The big difference is that host firewalls
can be controlled by a local API, while controlling a CPE is much
harder. If the host has adequate protection, then the intermediate
firewall in the CPE increases the overall cost without adding any
significant value.

> Technology religion to the contrary isn't going to stop that. So
> shouting at the top of your lungs that "we don't like firewalls" is
> in essence pissing into the wind. Save your breath. The products are
> going to be built and deployed. 

You are making the pessimist argument: since the worse is unavoidable,
it would be best to stop whining and just deal with it. Application
developers are actually used to that approach -- develop for the network
you have, and route around the damage inflicted by half-brained boxes.
Most likely, they will develop "automatic firewall traversal"
strategies. In a peer to peer network, for example, they will probably
invent a "pre-SYN" message that is relayed through a third party, so
that the two peers send their SYN packets simultaneously and effectively
defeat stateful packet inspection. Or, maybe, they will achieve the same
result using IPSEC. Or they will use a transport over UDP. Welcome to
the arms race.

-- Christian Huitema

References:
- CPE equipments and stateful filters
  - From: itojun@itojun.org (Jun-ichiro itojun Hagino)
- Re: CPE equipments and stateful filters
  - From: Fred Baker <fred@cisco.com>
- Re: CPE equipments and stateful filters
  - From: Rémi Denis-Courmont <rdenis@simphalempin.com>
- Re: CPE equipments and stateful filters
  - From: Fred Baker <fred@cisco.com>
- Re: CPE equipments and stateful filters
  - From: Gert Doering <gert@space.net>
- Re: CPE equipments and stateful filters
  - From: Fred Baker <fred@cisco.com>

Prev by Date: Re: CPE equipments and stateful filters
Next by Date: I-D ACTION:draft-ietf-v6ops-teredo-security-concerns-00.txt
Previous by thread: Re: CPE equipments and stateful filters
Next by thread: Re: CPE equipments and stateful filters
Index(es):
- Date
- Thread