[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Simple Security - Layered Filtering should be in the document

To: Gregory M. Lebovitz <gregory.ietf@gmail.com>
Subject: Re: Simple Security - Layered Filtering should be in the document
From: Shane Amante <shane@castlepoint.net>
Date: Wed, 29 Jul 2009 18:07:57 +0200
Cc: Pekka Savola <pekkas@netcore.fi>, v6ops@ops.ietf.org
In-reply-to: <4a700e65.25e2660a.04e1.3841@mx.google.com>
References: <4a6f8b8b.0a1ad00a.2cb2.ffffcf87@mx.google.com> <alpine.LRH.2.00.0907291028310.18296@netcore.fi> <4a700e65.25e2660a.04e1.3841@mx.google.com>

Greg,

On Jul 29, 2009, at 10:54 GMT+02:00, Gregory M. Lebovitz wrote:

At 12:32 AM 7/29/2009, Pekka Savola wrote:
On Tue, 28 Jul 2009, Gregory M. Lebovitz wrote:
James,
Layered filtering should be included in the document. It is anOPTION that people really need in an environment where the use oftunneling is growing rapidly. I would appreciate it if others whoagree would ack this email to the list.
Could you provide a list of, say, 5 CPE equipments from variousvendors in sub-100$ price range that currently provide this feature(with v4)? That might go a long way in convincing those unbelieversin the WG such as myself that this is a common and importantfeature in this context?
Point well taken in v4, Pekka. But the Internet is changing. Therewasn't tons of encapsulation layering in the past. It's becomingmore and more relevant now, and especially in v6. I'm sitting inSoftwires WG right now. Most of this is about tunneling one IP thinkover another. We're on the 5 proposal now, or so.
Conclusion: I don't think looking at what vendors have been doingfor the past 10 years is a good indicator of what is needed in thenext 10 years, because the networking is dramatically changing.

I agree with what Pekka said, however I'll add an additional twist.Specifically, it's important to bear in mind the principle of "leastsurprise". IOW, if this isn't widely implemented in v4 CPE routerstoday, then it's a new thing non-technical users will have tospecifically learn to disable in v6 CPE routers to get things workingin a v6 world.

On a separate, but related, note, I would also add the obviousargument that if the proposal is to enable filtering for protocolswithin the tunnel, then this will restrict a significant avenue ofdeployment and/or expansion of new (Internet) protocols over tunnels,which IMO is NOT a good thing. For better or worse, tunneling seemsto be a default avenue for building new protocols on top of legacyinfrastructure.


-shane

Follow-Ups:
- Re: Simple Security - Layered Filtering should be in the document
  - From: "Gregory M. Lebovitz" <gregory.ietf@gmail.com>

References:
- Fwd: Simple Security - Layered Filtering should be in the document
  - From: "Gregory M. Lebovitz" <gregory.ietf@gmail.com>
- Re: Fwd: Simple Security - Layered Filtering should be in the document
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: Fwd: Simple Security - Layered Filtering should be in the document
  - From: "Gregory M. Lebovitz" <gregory.ietf@gmail.com>

Prev by Date: Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
Next by Date: Re: Simple Security - Layered Filtering should be in the document
Previous by thread: Re: Simple Security - Layered Filtering should be in the document
Next by thread: Re: Simple Security - Layered Filtering should be in the document
Index(es):
- Date
- Thread