RE: Firewall control

["Dan Wing" <dwing@cisco.com>]

(CC'ing BEHAVE)

On v6ops, Hesham Soliman wrote:

> We've submitted the draft below. I requested a slot from Fred 
> to discuss this in Vancouver.  I look forward to your input on 
> this.  We've received some comments from Dan Wing already about 
> some aspects of the draft which are underspecified or can be 
> improved. 

I have read both draft-soliman-firewall-control-00.txt and (previously) James
Woodyatt's ALD, draft-woodyatt-ald-01.txt.  At the BEHAVE working group
meeting at IETF69 in Chicago, James presented both v6ops-cpe-simple-security
and ALD.  Looking at the v6ops minutes, it appears James did not present ALD
to v6ops in Chicago but he did present v6ops-cpe-simple-security.

There is a lot of similarity between soliman-firewall-control and
woodyatt-ald.  As there are two proposals that provide a similar function, it
seems there is some community interest in creating a v6 protocol to allow
hosts to talk to v6 firewalls.  It would be to everyone's advantage to have
one solution, unless we 'want to see the desert bloom' with 3-4
non-interoperable standards like happened with v4 NATs.


The BEHAVE WG is only chartered for v4 NATs/NAPTs, but I have invited Hesham
to present soliman-firewall-control because BEHAVE working group members are
well-versed in the difficulties of simple CPE firewalling (a side-effect of v4
NAPTs), and I expect can provide constructive comments on the document.


I expect there may be sufficient interest in this topic to request a BoF in
Philadelphia, and have an informal meeting with interested parties in
Vancouver.  Thoughts?

-d