Please below the semi-final charter proposal for a possible Firewall Issues Group that is intended to be formed within the security area. This charter has collected comments from this list. In particular the presence of host/application based firewalls functions are now mentioned. The charter also recognizes the fact that firewall policies may be generated automatically. Any further comments must be made soon as we want to go ahead and forward this proposal to our AD's within a few days. Kind regards - Leon Gommans, Inder Monga. ------- Firewall Issues Group (FIG). Chairs: Leon Gommans, Inder Monga Area Directors: Olle Mulmo, Dane Skow Mailing list: <tba> Description of Work: Grids increasingly require application driven transport privileges from the network. As such, the network is asked to make policy decisions on behalf of the various entities participating in an application's operation. A need has developed for Grid applications to communicate its requirements to the devices in the network that provide transport policy enforcement. Examples of such devices include firewalls, network address translators, and other gateway style devices. This working group will focus its attention to issues that Grid applications experience when the need arises to control firewall functions. Some examples are highlighted in GFD.37. The work will not preclude extensibility to other categories of what the IETF refers to as "middle-boxes". This working group will concern itself with an environment that consists of: - one or more firewalls in the data path. Firewalls may be external network devices or they may be integral to a host. There may also be application/xml-soap level firewalls involved. - a requesting Grid application - an optional policy decision point in which a firewall acts as enforcement point deploying models such as described in GFD.38. A requesting entity may be trusted or untrusted. In the case where it is trusted, the "middle box" will treat the request from the entity as authoritative. In the case where it is not trusted, the intermediate device will have to verify that it is authorized to complete the request. Authorization could originate from a separate, or a built in policy server. Policies can be created manually or automatically. The working group will evaluate existing IETF protocols for their applicability to the set of issues identified in the Grid and will deliver a document(s) that will recommend possible solutions and modifications to current protocols, if any, to the attention of the IETF. The output will be actively promoted within the firewall vendor community. The IETF work that will at least be considered is the output of the following groups: - midcom - "middlebox" communication: http://www.ietf.org/html.charters/midcom-charter.html - aft - Authenticated Firewall Traversal: http://www.ietf.org/html.charters/aft-charter.html - nsis - Next Steps in Signaling: http://www.ietf.org/html.charters/nsis-charter.html Input and participation from the vendor community is explicitly encouraged. Existing documents from the grid community will be used as starting point. Goals and Milestones: Submit after GGF15 informational document(s) that will focus on 1) An inventory of the issues with use-cases when Grid jobs must deal with firewall functions. 2) Subsequently technically describe and classify the issues in document #1 3) Evaluating existing IETF protocols and firewall functions for their suitability. 4) Recognize possible limitations of an identified firewall function and/or protocol and produce a list of requirements towards the IETF and interested firewall vendors. 5) Discuss and capture recommended approaches and solutions addressing the grid-specific issues and distribute towards the IETF and interested firewall vendors and capture results of 3-5 in document #2 GGF13: Charter discussion and group volunteers GGF14: First draft and Group discussions GGF15: Second draft and Group discussions. First draft of recommended approaches and solutions December 2005: WG last-call and final submission of document #1. GGF 16: Second draft and group discussions May 2006: WG last-call and final submission of document #2.