[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Simple Security - Layered Filtering should be in the document

To: Iljitsch van Beijnum <iljitsch@muada.com>, Yaron Sheffer <yaronf@checkpoint.com>
Subject: Re: Simple Security - Layered Filtering should be in the document
From: "Gregory M. Lebovitz" <gregory.ietf@gmail.com>
Date: Thu, 30 Jul 2009 23:56:17 -0700
Cc: Shane Amante <shane@castlepoint.net>,Pekka Savola <pekkas@netcore.fi>, "v6ops@ops.ietf.org" <v6ops@ops.ietf.org>
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:x-mailer:date:to:from:subject:cc:in-reply-to:references :mime-version:content-type; b=vpEg0ilOfhOmmpbKWq4pTapuAMR+WEs23a2PNATeCqbwJ2EsWj65U34fP6IsppwjsK LbujX47DVBaW6UyfQN6pgJdtZ8CuzXvmN3vL1Rvz/tJ5VLABoZqqxYEafjws6+zSnRwz gi0UzEnEqfr6r/MGK8lmujK7FJpj0FPr+IJDo=
In-reply-to: <552C077C-34BC-48A4-B9C2-E1888DD8C8ED@muada.com>
References: <4a6f8b8b.0a1ad00a.2cb2.ffffcf87@mx.google.com> <alpine.LRH.2.00.0907291028310.18296@netcore.fi> <4a700e65.25e2660a.04e1.3841@mx.google.com> <04596BBA-8D7F-46A0-BC14-2E61A5779236@castlepoint.net> <4a70daeb.1aba720a.0d4f.ffffaa18@mx.google.com> <A3D24F72-5F71-4619-9736-0C0B61E14134@muada.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC80133E557CD17@il-ex01.ad.checkpoint.com> <552C077C-34BC-48A4-B9C2-E1888DD8C8ED@muada.com>

At 08:38 AM 7/30/2009, Iljitsch van Beijnum wrote:

On 30 jul 2009, at 16:53, Yaron Sheffer wrote:

For the sake of argument, if *all* the current <something>-in-IPv6
proposals
are standardized, then presumably they *will* go into mainstream OSes.


So whenever there's a new protocol there must be a new filter?

Maybe not for home gateways, but for true policy enforcement pointsin the network, yes, that his the case.

Isn't it simpler for the hosts that don't want to receive certain
packets to not run the protocol?

Sure. If all the valuable possessions in my home were unremovablybolted to the floor, and it was impossible for anyone without theretinal patterns and fingerprints of my direct family and invitedfriends to tough any of those things, then yes, I would have no needfor the locks on my home's doors. Likewise, if hosts were perfect atprotecting themselves and the network infrastructure between themacross all subnets, then there would be no need for network perimeter filters.


Gregory.

Follow-Ups:
- Re: Simple Security - Layered Filtering should be in the document
  - From: Gert Doering <gert@space.net>

References:
- Fwd: Simple Security - Layered Filtering should be in the document
  - From: "Gregory M. Lebovitz" <gregory.ietf@gmail.com>
- Re: Fwd: Simple Security - Layered Filtering should be in the document
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: Fwd: Simple Security - Layered Filtering should be in the document
  - From: "Gregory M. Lebovitz" <gregory.ietf@gmail.com>
- Re: Simple Security - Layered Filtering should be in the document
  - From: Shane Amante <shane@castlepoint.net>
- Re: Simple Security - Layered Filtering should be in the document
  - From: "Gregory M. Lebovitz" <gregory.ietf@gmail.com>
- Re: Simple Security - Layered Filtering should be in the document
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- RE: Simple Security - Layered Filtering should be in the document
  - From: Yaron Sheffer <yaronf@checkpoint.com>
- Re: Simple Security - Layered Filtering should be in the document
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: RE: Simple Security - Layered Filtering should be in the document
Next by Date: Re: Simple Security - Layered Filtering should be in the document
Previous by thread: RE: Simple Security - Layered Filtering should be in the document
Next by thread: Re: Simple Security - Layered Filtering should be in the document
Index(es):
- Date
- Thread