On Wednesday, October 22, 2003, at 09:21 AM, Erik Nordmark wrote:
My gut feel is that the underlying issue is that firewall/filtering
configuration is complex and error prone and that there is a question
on the table how we can make this easier. For instance, are there
architectural
modifications that can improve the situation?
There are a lot of different questions there, actually,
and I think they tend to have different answers. Firewall
configuration, for example, is not the same question
as firewall policy expression. In practice it turns out
that it's an enormous problem that the policy language
we're currently using to express firewall (or border access)
rules is incredibly crude. Port numbers and transport
protocols are used to describe applications, and addresses
are used to describe policy domains. There are obvious
limitations to what can actually be achieved using 5-tuples
as policy tags, and consequently firewall vendors have
implemented stateful inspection of data streams to make sure,
for example, that the stuff passing through on port 80
is actually html. And because they need to inspect data
to make sure that firewall policy isn't being contraverted,
they disallow encrypted traffic, which in turn means that
security practice is being substantially undermined.
So there's a considerable ripple effect created when
a policy function is overloaded on addresses. Presumably
this could be mitigated through the use of more refined
policy language and a somewhat different enforcement architecture,
but that would introduce different architectural problems as
yet pretty much undiscussed.
Melinda
_______________________________________________
Saad mailing list
Saad@ietf.org
https://www1.ietf.org/mailman/listinfo/saad
