Re: [security-area] Agenda Firewall Issues BOF - GGF13
Mike, Thanks for raising the question. The answer will depend on the charter discussion. Anybody is welcome to comment. This is my personal view: If you look for example the IETF Middlebox work, NATs were part of the charter. An answer may also depend on the outcome of the question if this should be a Research Group or a Working Group. A WG charter needs to be very focussed and our Area Directors may prefer a limited the scope with clearly defined deliverables. The scope may therefore be limited to Firewalls. There is also a BoF that wants to look at VPN's. A RG could pursue a wider range of middlebox services such as mentioned in RFC 3303. Kind regards .. Leon Gommans. Mike 'Mike' Jones wrote:
Would it be useful to discuss NAT at the same time as firewalls?
I think NAT raises some issues that are similar to firewalls. I'm coming from an AFS in globus2 based grids perspective and have also seen clashes between globus-IO and NAT.
I'm afraid I'm not able to goto Korea to stick my hand up and ask the question there, sorry!
Cheers, Mike
On Tue, 8 Mar 2005, Mike Helm wrote:
LG, can you put me on the agenda? I'd like to mention 3 things (provided the material all shows up :^) that might be of interest: some MPLS work at ESnet, a PNNL localhost-based firewall solution that should be grid friendly, and an interesting use-case from Fusion Grid (some have seen this, at last GGF).
Thanks, ==mwh Michael Helm ESnet/LBNL
Without implying that we should freeze or postpone any current discussions on this topic, NATs are definitely a discussion item at the BOF as well, I would say. I would say that in these discussions, NATs are equally important as firewalls, as they both are devices that are "in the way", meddling with the network traffic in ways that cause problems for middleware and application developers. Identifying (and seeking to rectify?) the problems that appear in Grid settings is what this BOF is about. Side remark: one can claim that NATs are (stupid) firewalls. That can be debated endlessly though, and I'm certain the people that build "real" firewalls disagree! /Olle On Mar 8, 2005, at 20:10, Leon Gommans wrote:
Mike,
Thanks for raising the question. The answer will depend on the charter discussion. Anybody is welcome to comment.
This is my personal view:
If you look for example the IETF Middlebox work, NATs were part of the charter.
An answer may also depend on the outcome of the question if this should be a Research Group or a Working Group. A WG charter needs to be very focussed and our Area Directors may prefer a limited the scope with clearly defined deliverables. The scope may therefore be limited to Firewalls. There is also a BoF that wants to look at VPN's. A RG could pursue a wider range of middlebox services such as mentioned in RFC 3303. Kind regards .. Leon Gommans.
Mike 'Mike' Jones wrote:
Would it be useful to discuss NAT at the same time as firewalls?
I think NAT raises some issues that are similar to firewalls. I'm coming from an AFS in globus2 based grids perspective and have also seen clashes between globus-IO and NAT.
I'm afraid I'm not able to goto Korea to stick my hand up and ask the question there, sorry!
Cheers, Mike
On Tue, 8 Mar 2005, Mike Helm wrote:
LG, can you put me on the agenda? I'd like to mention 3 things (provided the material all shows up :^) that might be of interest: some MPLS work at ESnet, a PNNL localhost-based firewall solution that should be grid friendly, and an interesting use-case from Fusion Grid (some have seen this, at last GGF).
Thanks, ==mwh Michael Helm ESnet/LBNL
Olle, One way I see that naturally merges the consideration of Firewall and NAT functions, is to use RFC3303 (middelbox communication architecture and framework) as a basis to work from. The work the IETF currently pursues in this area, such as the NSIS group, also mentions Firewalls and NAT's in the same breath. From this perspective, merging NAT's and Firewall considerations sounds a logical idea. Thanks for clearifying the scope issue, Regards .. Leon. Olle Mulmo wrote:
Without implying that we should freeze or postpone any current discussions on this topic, NATs are definitely a discussion item at the BOF as well, I would say.
I would say that in these discussions, NATs are equally important as firewalls, as they both are devices that are "in the way", meddling with the network traffic in ways that cause problems for middleware and application developers. Identifying (and seeking to rectify?) the problems that appear in Grid settings is what this BOF is about.
Side remark: one can claim that NATs are (stupid) firewalls. That can be debated endlessly though, and I'm certain the people that build "real" firewalls disagree!
/Olle
On Mar 8, 2005, at 20:10, Leon Gommans wrote:
Mike,
Thanks for raising the question. The answer will depend on the charter discussion. Anybody is welcome to comment.
This is my personal view:
If you look for example the IETF Middlebox work, NATs were part of the charter.
An answer may also depend on the outcome of the question if this should be a Research Group or a Working Group. A WG charter needs to be very focussed and our Area Directors may prefer a limited the scope with clearly defined deliverables. The scope may therefore be limited to Firewalls. There is also a BoF that wants to look at VPN's. A RG could pursue a wider range of middlebox services such as mentioned in RFC 3303.
Kind regards .. Leon Gommans.
Mike 'Mike' Jones wrote:
Would it be useful to discuss NAT at the same time as firewalls?
I think NAT raises some issues that are similar to firewalls. I'm coming from an AFS in globus2 based grids perspective and have also seen clashes between globus-IO and NAT.
I'm afraid I'm not able to goto Korea to stick my hand up and ask the question there, sorry!
Cheers, Mike
On Tue, 8 Mar 2005, Mike Helm wrote:
LG, can you put me on the agenda? I'd like to mention 3 things (provided the material all shows up :^) that might be of interest: some MPLS work at ESnet, a PNNL localhost-based firewall solution that should be grid friendly, and an interesting use-case from Fusion Grid (some have seen this, at last GGF).
Thanks, ==mwh Michael Helm ESnet/LBNL
participants (2)
-
Leon Gommans -
Olle Mulmo