ietf
[Top] [All Lists]

Re: ISMS working group and charter problems

2005-09-06 16:10:01
In message <9A2BB5EF-A137-439D-81AF-40B784D541A9(_at_)muada(_dot_)com>, 
Iljitsch van Beijn
um writes:
On 7-sep-2005, at 0:16, Daniel Senie wrote:

Actually, a "Firewall Considerations" section would make sense.

What would be in such a section? There are only three possibilities:

1. There is no firewall: no need for text.
2. There is a firewall, and it doesn't try to block the protocol: no  
need for text.
3. There is a firewall, and it tries to block the protocol.

So what text would be helpful in case #3? Either the firewall  
successfully blocks the protocol and the firewall works and the  
protocol doesn't, or the firewall doesn't manage to block the  
protocol and the protocol works but the firewall doesn't. So whatever  
happens, someone is going to be unhappy.

Not at all.  Often, a firewall needs to know a fair amount about the 
protocol to do its job.  FTP is the simplest case -- it has to look for 
the PORT (and, in some configuration, the PASV) command.  H.323 and SIP 
are more complex.  

But for complex protocols, we need to go a step further.  SIP has, 
built-in, provision for gateways.  There are a number of reasons for 
this, but firewall friendliness is certainly one of them.  The proper 
question is this: would adding something to the protocol enable it to 
operate properly in the presence of a firewall *without* subverting 
site security policy.  The lack of that latter consideration has led to 
people using http as the universal firewall traversal protocol, with 
the obvious bad side-effects.

                --Steven M. Bellovin, http://www.cs.columbia.edu/~smb



_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf