[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DEFCON BOF Report

To: "Bernard Aboba" <bernard_aboba@hotmail.com>, <iab@ietf.org>, <iesg@ietf.org>
Subject: Re: DEFCON BOF Report
From: "James Kempf" <kempf@docomolabs-usa.com>
Date: Mon, 24 Mar 2003 16:04:02 -0800
References: <F50VkjA2DJxRVVfdY6h0000407b@hotmail.com>

Bernard,

I'm not sure, but it sounds to me like you are saying that these groups (DEFCON
& NETCONF) are looking at the wrong problem. It sounds like you think there are
very specific problems that occur with security gateway configuration in
practice, and that these groups should rather be focussing on solving those
problems than on the more abstract issues (firewall distribution and the syntax
for policy configuration) with which the BOFs were concerned. Is that so?

            jak

----- Original Message -----
From: "Bernard Aboba" <bernard_aboba@hotmail.com>
To: <kempf@docomolabs-usa.com>; <iab@ietf.org>; <iesg@ietf.org>
Sent: Monday, March 24, 2003 12:12 PM
Subject: Re: DEFCON BOF Report


> The tricky thing about controlling distributed firewalls is achieving
> reliable configuration. It's not clear to me that this is being taken into
> account in DEFCON (or NETCONF, for that matter).
>
> There are several issues to look out for:
>
> * Policy "lockup". This occurs when two sides of an IPsec security gateway
> end up with inconsistent policy. If the gateway is also the route by which
> the policy is distributed, then the network can be brought down and you need
> to use an out-of-band mechanism to reset the policies. This can also happen
> on hosts if the security policy is (mistakenly) set to drop traffic from the
> policy distribution mechanism. This is a real phenomena that has been
> observed in practice.
>
> * Transacted changes. This occurs when a number of hosts need to change
> their policies in sync. For example, if IPsec SAs need to be upgraded from
> DES to 3DES. To avoid causing problems, the upgrades needs to occur in sync
> -- or else some SAs won't be able to come up once the changes are made.
>
> In practice, to solve these issues may require concepts such as "last known
> good", "timed upgrades", and "switchover transactions". The former requires
> saving of a previous configuration, the middle requires time
> synchronization, and the latter requires a transaction monitor.
>
> _________________________________________________________________
> Add photos to your messages with MSN 8. Get 2 months FREE*.
> http://join.msn.com/?page=features/featuredemail
>
>

References:
- Re: DEFCON BOF Report
  - From: "Bernard Aboba" <bernard_aboba@hotmail.com>

Prev by Date: RE: laptops on stage in plenary (fwd)
Next by Date: Re: laptops on stage in plenary (fwd)
Previous by thread: Re: DEFCON BOF Report
Next by thread: have a seat folks...
Index(es):
- Date
- Thread