RE: NATs as firewalls



--On Monday, 05 March, 2007 09:15 -0800 "Hallam-Baker, Phillip"
<pbaker(_at_)verisign(_dot_)com> wrote:

From: Brian E Carpenter [mailto:brc(_at_)zurich(_dot_)ibm(_dot_)com]

John,

(after also reading Michael's response)

I don't disagree. I think there is scope for writing a list 
of desirable properties for SOHO routers in the light of 
these various inputs. I'm less certain it can be done for 
enterprise boundary routers. But it would be a tricky and 
contentious job in both cases. Even draft-ietf-v6ops-nap took 
many moons and several major editing passes, and it only 
starts the work.


SOHO is the one that won't get done otherwise. The enterprise
folk have Gartner, Burton and the Jericho forum to express
their list of requirements through (and the RFP process to put
those requirements on the vendor product roadmaps).

From the SOHO perspective I have been saying for years now
that many of the problems we have wit bots would be
significantly reduced if SOHO routers and cable modems came
configured with an outbound firewall by default.
...


While I have disagreed with many of the other things Phillip has
said in this thread, I am in complete agreement with this one
and taken much the same position for some time.  Indeed, I have
long suspected that the highest-leverage remedy for many spam
and malware issues would start with considering ISPs who supply
SOHO and, even more important, residential, connections without
supplying or requiring such firewalls at the boundary to be
liable for the damage that results.

While an IETF Standard specifying the capabilities such a
firewall should have and how it should be configured is neither
necessary nor sufficient to hold ISPs to that level of
accountability and liability, it would certainly be a very
useful step to clearly establish the requirements and their
importance.   While I don't think the IETF list is the right
place to try to sort out Philip's specific configuration
suggestions, I note that none of the mass-market inexpensive
devices sold as "Cable/DSL Routers" or firewalls (at least those
I'm aware of) are even capable of being configured to do the
type of outbound rate limiting that he suggests.

    john


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf

<Prev in Thread]	Current Thread	[Next in Thread>
Re: NATs as firewalls, (continued) Re: NATs as firewalls, Brian E Carpenter Re: NATs as firewalls, John C Klensin RE: NATs as firewalls, Tony Hain RE: NATs as firewalls, John C Klensin Re: NATs as firewalls, Elwyn Davies Re: NATs as firewalls, Fred Baker Re: NATs as firewalls, Elwyn Davies RE: NATs as firewalls, michael.dillon RE: NATs as firewalls, Hallam-Baker, Phillip RE: NATs as firewalls, Hallam-Baker, Phillip RE: NATs as firewalls, John C Klensin <= RE: NATs as firewalls, Hallam-Baker, Phillip Message not available Re: NATs as firewalls and the NEA, Jeff Young RE: NATs as firewalls, michael.dillon RE: NATs as firewalls, michael.dillon Re: NATs as firewalls, Eliot Lear RE: NATs as firewalls, Tony Hain RE: NATs as firewalls, John C Klensin RE: NATs as firewalls, Hallam-Baker, Phillip RE: NATs as firewalls, John C Klensin Message not available RE: NATs as firewalls, Tony Hain