--On Monday, 05 March, 2007 09:15 -0800 "Hallam-Baker, Phillip"
From: Brian E Carpenter [mailto:brc(_at_)zurich(_dot_)ibm(_dot_)com]
(after also reading Michael's response)
I don't disagree. I think there is scope for writing a list
of desirable properties for SOHO routers in the light of
these various inputs. I'm less certain it can be done for
enterprise boundary routers. But it would be a tricky and
contentious job in both cases. Even draft-ietf-v6ops-nap took
many moons and several major editing passes, and it only
starts the work.
SOHO is the one that won't get done otherwise. The enterprise
folk have Gartner, Burton and the Jericho forum to express
their list of requirements through (and the RFP process to put
those requirements on the vendor product roadmaps).
From the SOHO perspective I have been saying for years now
that many of the problems we have wit bots would be
significantly reduced if SOHO routers and cable modems came
configured with an outbound firewall by default.
While I have disagreed with many of the other things Phillip has
said in this thread, I am in complete agreement with this one
and taken much the same position for some time. Indeed, I have
long suspected that the highest-leverage remedy for many spam
and malware issues would start with considering ISPs who supply
SOHO and, even more important, residential, connections without
supplying or requiring such firewalls at the boundary to be
liable for the damage that results.
While an IETF Standard specifying the capabilities such a
firewall should have and how it should be configured is neither
necessary nor sufficient to hold ISPs to that level of
accountability and liability, it would certainly be a very
useful step to clearly establish the requirements and their
importance. While I don't think the IETF list is the right
place to try to sort out Philip's specific configuration
suggestions, I note that none of the mass-market inexpensive
devices sold as "Cable/DSL Routers" or firewalls (at least those
I'm aware of) are even capable of being configured to do the
type of outbound rate limiting that he suggests.
Ietf mailing list