[security-area] Agenda Firewall Issues BOF - GGF13
Dane Skow
dane at fnal.gov
Mon Mar 14 02:56:13 CST 2005
FIG comment forwarded for Inder.
D
> Olle/Leon,
>
> I agree with the reasoning to add NAT considerations into the BOF.
> Though,
> when exploring requirements/solutions we should not assume that the
> firewall
> and NAT functions always are implemented together at points in the
> network.
>
> Inder
>
>
>
>
> -----Original Message-----
> From: owner-security-area at ggf.org [mailto:owner-security-area at ggf.org]
> On
> Behalf Of Leon Gommans
> Sent: Thursday, March 10, 2005 3:56 AM
> To: Olle Mulmo
> Cc: Mike Helm; Mike 'Mike' Jones; john.mccoy at pnl.gov;
> security-area at ggf.org;
> chin at es.net; schissel at fusion.gat.com
> Subject: Re: [security-area] Agenda Firewall Issues BOF - GGF13
>
>
> Olle,
>
> One way I see that naturally merges the consideration of Firewall and
> NAT functions, is to use RFC3303 (middelbox communication architecture
> and
> framework) as a basis to work from. The work the IETF
> currently pursues in this area, such as the NSIS group, also mentions
> Firewalls and NAT's in the same breath. From this perspective,
> merging NAT's and Firewall considerations sounds a logical idea.
>
> Thanks for clearifying the scope issue,
>
> Regards .. Leon.
>
>
> Olle Mulmo wrote:
>
>> Without implying that we should freeze or postpone any current
>> discussions on this topic, NATs are definitely a discussion item at
>> the BOF as well, I would say.
>>
>> I would say that in these discussions, NATs are equally important as
>> firewalls, as they both are devices that are "in the way", meddling
>> with the network traffic in ways that cause problems for middleware
>> and application developers. Identifying (and seeking to rectify?) the
>> problems that appear in Grid settings is what this BOF is about.
>>
>> Side remark: one can claim that NATs are (stupid) firewalls. That can
>> be debated endlessly though, and I'm certain the people that build
>> "real" firewalls disagree!
>>
>> /Olle
>>
>> On Mar 8, 2005, at 20:10, Leon Gommans wrote:
>>
>>> Mike,
>>>
>>> Thanks for raising the question. The answer will depend on the
>>> charter discussion. Anybody is welcome to comment.
>>>
>>> This is my personal view:
>>>
>>> If you look for example the IETF Middlebox work, NATs
>>> were part of the charter.
>>>
>>> An answer may also depend on the outcome of the question
>>> if this should be a Research Group or a Working Group.
>>> A WG charter needs to be very focussed and
>>> our Area Directors may prefer a limited the scope with clearly
>>> defined deliverables. The scope may therefore be limited to
>>> Firewalls. There is also a BoF that wants to look at VPN's. A RG
>>> could pursue a wider range of middlebox services such as mentioned
>>> in RFC 3303.
>>>
>>> Kind regards .. Leon Gommans.
>>>
>>>
>>>
>>> Mike 'Mike' Jones wrote:
>>>
>>> Would it be useful to discuss NAT at the same time as firewalls?
>>>
>>> I think NAT raises some issues that are similar to firewalls. I'm
>>> coming
>>> from an AFS in globus2 based grids perspective and have also seen
>>> clashes
>>> between globus-IO and NAT.
>>>
>>> I'm afraid I'm not able to goto Korea to stick my hand up and ask the
>>> question there, sorry!
>>>
>>> Cheers,
>>> Mike
>>>
>>> On Tue, 8 Mar 2005, Mike Helm wrote:
>>>
>>>
>>> LG, can you put me on the agenda? I'd like to mention
>>> 3 things (provided the material all shows up :^) that
>>> might be of interest: some MPLS work at ESnet, a PNNL localhost-based
>>> firewall solution that should be grid friendly, and an interesting
>>> use-case from Fusion Grid (some have seen this, at last GGF).
>>>
>>> Thanks, ==mwh
>>> Michael Helm
>>> ESnet/LBNL
>>>
>>>
>>>
>>
>>
>
>
> ------_=_NextPart_001_01C52864.CB3191D2
> Content-Type: text/html
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
> <HTML>
> <HEAD>
> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
> charset=3Dus-ascii">
> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
> 5.5.2658.2">
> <TITLE>RE: [security-area] Agenda Firewall Issues BOF - GGF13</TITLE>
> </HEAD>
> <BODY>
> <BR>
>
> <P><FONT SIZE=3D2>Olle/Leon,</FONT>
> </P>
>
> <P><FONT SIZE=3D2>I agree with the reasoning to add NAT considerations
> =
> into the BOF. Though, when exploring requirements/solutions we should =
> not assume that the firewall and NAT functions always are implemented =
> together at points in the network.</FONT></P>
>
> <P><FONT SIZE=3D2>Inder</FONT>
> </P>
> <BR>
> <BR>
> <BR>
>
> <P><FONT SIZE=3D2>-----Original Message-----</FONT>
> <BR><FONT SIZE=3D2>From: owner-security-area at ggf.org [<A =
> HREF=3D"mailto:owner-security-area at ggf.org">mailto:owner-security-
> area at g=
> gf.org</A>] On Behalf Of Leon Gommans</FONT>
> <BR><FONT SIZE=3D2>Sent: Thursday, March 10, 2005 3:56 AM</FONT>
> <BR><FONT SIZE=3D2>To: Olle Mulmo</FONT>
> <BR><FONT SIZE=3D2>Cc: Mike Helm; Mike 'Mike' Jones; =
> john.mccoy at pnl.gov; security-area at ggf.org; chin at es.net; =
> schissel at fusion.gat.com</FONT>
> <BR><FONT SIZE=3D2>Subject: Re: [security-area] Agenda Firewall Issues
> =
> BOF - GGF13</FONT>
> </P>
> <BR>
>
> <P><FONT SIZE=3D2>Olle,</FONT>
> </P>
>
> <P><FONT SIZE=3D2>One way I see that naturally merges the
> consideration =
> of Firewall and </FONT>
> <BR><FONT SIZE=3D2>NAT functions, is to use RFC3303 (middelbox =
> communication architecture and framework) as a basis to work from. The
> =
> work the IETF </FONT></P>
>
> <P><FONT SIZE=3D2>currently pursues in this area, such as the NSIS =
> group, also mentions Firewalls and NAT's in the same breath. From this
> =
> perspective, </FONT></P>
>
> <P><FONT SIZE=3D2>merging NAT's and Firewall considerations sounds a =
> logical idea.</FONT>
> </P>
>
> <P><FONT SIZE=3D2>Thanks for clearifying the scope issue,</FONT>
> </P>
>
> <P><FONT SIZE=3D2>Regards .. Leon.</FONT>
> </P>
> <BR>
>
> <P><FONT SIZE=3D2>Olle Mulmo wrote:</FONT>
> </P>
>
> <P><FONT SIZE=3D2>> Without implying that we should freeze or =
> postpone any current</FONT>
> <BR><FONT SIZE=3D2>> discussions on this topic, NATs are definitely
> =
> a discussion item at </FONT>
> <BR><FONT SIZE=3D2>> the BOF as well, I would say.</FONT>
> <BR><FONT SIZE=3D2>></FONT>
> <BR><FONT SIZE=3D2>> I would say that in these discussions, NATs
> are =
> equally important as</FONT>
> <BR><FONT SIZE=3D2>> firewalls, as they both are devices that are =
> "in the way", meddling </FONT>
> <BR><FONT SIZE=3D2>> with the network traffic in ways that cause =
> problems for middleware </FONT>
> <BR><FONT SIZE=3D2>> and application developers. Identifying (and =
> seeking to rectify?) the </FONT>
> <BR><FONT SIZE=3D2>> problems that appear in Grid settings is what =
> this BOF is about.</FONT>
> <BR><FONT SIZE=3D2>></FONT>
> <BR><FONT SIZE=3D2>> Side remark: one can claim that NATs are =
> (stupid) firewalls. That can</FONT>
> <BR><FONT SIZE=3D2>> be debated endlessly though, and I'm certain =
> the people that build </FONT>
> <BR><FONT SIZE=3D2>> "real" firewalls disagree!</FONT>
> <BR><FONT SIZE=3D2>></FONT>
> <BR><FONT SIZE=3D2>> /Olle</FONT>
> <BR><FONT SIZE=3D2>></FONT>
> <BR><FONT SIZE=3D2>> On Mar 8, 2005, at 20:10, Leon Gommans =
> wrote:</FONT>
> <BR><FONT SIZE=3D2>></FONT>
> <BR><FONT SIZE=3D2>>> Mike,</FONT>
> <BR><FONT SIZE=3D2>>></FONT>
> <BR><FONT SIZE=3D2>>> Thanks for raising the question. The
> =
> answer will depend on the </FONT>
> <BR><FONT SIZE=3D2>>> charter discussion. Anybody is welcome to =
> comment.</FONT>
> <BR><FONT SIZE=3D2>>></FONT>
> <BR><FONT SIZE=3D2>>> This is my personal view:</FONT>
> <BR><FONT SIZE=3D2>>></FONT>
> <BR><FONT SIZE=3D2>>> If you look for example the IETF =
> Middlebox work, NATs</FONT>
> <BR><FONT SIZE=3D2>>> were part of the charter.</FONT>
> <BR><FONT SIZE=3D2>>></FONT>
> <BR><FONT SIZE=3D2>>> An answer may also depend on the =
> outcome of the question</FONT>
> <BR><FONT SIZE=3D2>>> if this should be a Research Group
> or =
> a Working Group.</FONT>
> <BR><FONT SIZE=3D2>>> A WG charter needs to be very =
> focussed and</FONT>
> <BR><FONT SIZE=3D2>>> our Area Directors may prefer a =
> limited the scope with clearly </FONT>
> <BR><FONT SIZE=3D2>>> defined deliverables. The scope may =
> therefore be limited to </FONT>
> <BR><FONT SIZE=3D2>>> Firewalls. There is also a BoF that wants =
> to look at VPN's. A RG </FONT>
> <BR><FONT SIZE=3D2>>> could pursue a wider range of middlebox =
> services such as mentioned </FONT>
> <BR><FONT SIZE=3D2>>> in RFC 3303.</FONT>
> <BR><FONT SIZE=3D2>>> </FONT>
> <BR><FONT SIZE=3D2>>> Kind regards .. Leon Gommans.</FONT>
> <BR><FONT SIZE=3D2>>></FONT>
> <BR><FONT SIZE=3D2>>> </FONT>
> <BR><FONT SIZE=3D2>>></FONT>
> <BR><FONT SIZE=3D2>>> Mike 'Mike' Jones wrote:</FONT>
> <BR><FONT SIZE=3D2>>></FONT>
> <BR><FONT SIZE=3D2>>> Would it be useful to discuss NAT at the =
> same time as firewalls?</FONT>
> <BR><FONT SIZE=3D2>>></FONT>
> <BR><FONT SIZE=3D2>>> I think NAT raises some issues that are =
> similar to firewalls. I'm</FONT>
> <BR><FONT SIZE=3D2>>> coming</FONT>
> <BR><FONT SIZE=3D2>>> from an AFS in globus2 based grids =
> perspective and have also seen </FONT>
> <BR><FONT SIZE=3D2>>> clashes</FONT>
> <BR><FONT SIZE=3D2>>> between globus-IO and NAT.</FONT>
> <BR><FONT SIZE=3D2>>></FONT>
> <BR><FONT SIZE=3D2>>> I'm afraid I'm not able to goto Korea to =
> stick my hand up and ask the </FONT>
> <BR><FONT SIZE=3D2>>> question there, sorry!</FONT>
> <BR><FONT SIZE=3D2>>></FONT>
> <BR><FONT SIZE=3D2>>> Cheers,</FONT>
> <BR><FONT SIZE=3D2>>> Mike</FONT>
> <BR><FONT SIZE=3D2>>></FONT>
> <BR><FONT SIZE=3D2>>> On Tue, 8 Mar 2005, Mike Helm wrote:</FONT>
> <BR><FONT SIZE=3D2>>></FONT>
> <BR><FONT SIZE=3D2>>></FONT>
> <BR><FONT SIZE=3D2>>> LG, can you put me on the agenda?
> I'd =
> like to mention</FONT>
> <BR><FONT SIZE=3D2>>> 3 things (provided the material all shows =
> up :^) that</FONT>
> <BR><FONT SIZE=3D2>>> might be of interest: some MPLS work at =
> ESnet, a PNNL localhost-based </FONT>
> <BR><FONT SIZE=3D2>>> firewall solution that should be grid =
> friendly, and an interesting </FONT>
> <BR><FONT SIZE=3D2>>> use-case from Fusion Grid (some have seen =
> this, at last GGF).</FONT>
> <BR><FONT SIZE=3D2>>></FONT>
> <BR><FONT SIZE=3D2>>> Thanks, =3D=3Dmwh</FONT>
> <BR><FONT SIZE=3D2>>> Michael Helm</FONT>
> <BR><FONT SIZE=3D2>>> ESnet/LBNL</FONT>
> <BR><FONT SIZE=3D2>>></FONT>
> <BR><FONT SIZE=3D2>>></FONT>
> <BR><FONT SIZE=3D2>>></FONT>
> <BR><FONT SIZE=3D2>></FONT>
> <BR><FONT SIZE=3D2>></FONT>
> </P>
>
> </BODY>
> </HTML>
> ------_=_NextPart_001_01C52864.CB3191D2--
>
More information about the security-area
mailing list