Re: [security-area] Agenda Firewall Issues BOF - GGF13
FIG comment forwarded for Inder. D
Olle/Leon,
I agree with the reasoning to add NAT considerations into the BOF. Though, when exploring requirements/solutions we should not assume that the firewall and NAT functions always are implemented together at points in the network.
Inder
-----Original Message----- From: owner-security-area@ggf.org [mailto:owner-security-area@ggf.org] On Behalf Of Leon Gommans Sent: Thursday, March 10, 2005 3:56 AM To: Olle Mulmo Cc: Mike Helm; Mike 'Mike' Jones; john.mccoy@pnl.gov; security-area@ggf.org; chin@es.net; schissel@fusion.gat.com Subject: Re: [security-area] Agenda Firewall Issues BOF - GGF13
Olle,
One way I see that naturally merges the consideration of Firewall and NAT functions, is to use RFC3303 (middelbox communication architecture and framework) as a basis to work from. The work the IETF currently pursues in this area, such as the NSIS group, also mentions Firewalls and NAT's in the same breath. From this perspective, merging NAT's and Firewall considerations sounds a logical idea.
Thanks for clearifying the scope issue,
Regards .. Leon.
Olle Mulmo wrote:
Without implying that we should freeze or postpone any current discussions on this topic, NATs are definitely a discussion item at the BOF as well, I would say.
I would say that in these discussions, NATs are equally important as firewalls, as they both are devices that are "in the way", meddling with the network traffic in ways that cause problems for middleware and application developers. Identifying (and seeking to rectify?) the problems that appear in Grid settings is what this BOF is about.
Side remark: one can claim that NATs are (stupid) firewalls. That can be debated endlessly though, and I'm certain the people that build "real" firewalls disagree!
/Olle
On Mar 8, 2005, at 20:10, Leon Gommans wrote:
Mike,
Thanks for raising the question. The answer will depend on the charter discussion. Anybody is welcome to comment.
This is my personal view:
If you look for example the IETF Middlebox work, NATs were part of the charter.
An answer may also depend on the outcome of the question if this should be a Research Group or a Working Group. A WG charter needs to be very focussed and our Area Directors may prefer a limited the scope with clearly defined deliverables. The scope may therefore be limited to Firewalls. There is also a BoF that wants to look at VPN's. A RG could pursue a wider range of middlebox services such as mentioned in RFC 3303.
Kind regards .. Leon Gommans.
Mike 'Mike' Jones wrote:
Would it be useful to discuss NAT at the same time as firewalls?
I think NAT raises some issues that are similar to firewalls. I'm coming from an AFS in globus2 based grids perspective and have also seen clashes between globus-IO and NAT.
I'm afraid I'm not able to goto Korea to stick my hand up and ask the question there, sorry!
Cheers, Mike
On Tue, 8 Mar 2005, Mike Helm wrote:
LG, can you put me on the agenda? I'd like to mention 3 things (provided the material all shows up :^) that might be of interest: some MPLS work at ESnet, a PNNL localhost-based firewall solution that should be grid friendly, and an interesting use-case from Fusion Grid (some have seen this, at last GGF).
Thanks, ==mwh Michael Helm ESnet/LBNL
------_=_NextPart_001_01C52864.CB3191D2 Content-Type: text/html Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2658.2"> <TITLE>RE: [security-area] Agenda Firewall Issues BOF - GGF13</TITLE> </HEAD> <BODY> <BR>
<P><FONT SIZE=3D2>Olle/Leon,</FONT> </P>
<P><FONT SIZE=3D2>I agree with the reasoning to add NAT considerations = into the BOF. Though, when exploring requirements/solutions we should = not assume that the firewall and NAT functions always are implemented = together at points in the network.</FONT></P>
<P><FONT SIZE=3D2>Inder</FONT> </P> <BR> <BR> <BR>
<P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: owner-security-area@ggf.org [<A = HREF=3D"mailto:owner-security-area@ggf.org">mailto:owner-security- area@g= gf.org</A>] On Behalf Of Leon Gommans</FONT> <BR><FONT SIZE=3D2>Sent: Thursday, March 10, 2005 3:56 AM</FONT> <BR><FONT SIZE=3D2>To: Olle Mulmo</FONT> <BR><FONT SIZE=3D2>Cc: Mike Helm; Mike 'Mike' Jones; = john.mccoy@pnl.gov; security-area@ggf.org; chin@es.net; = schissel@fusion.gat.com</FONT> <BR><FONT SIZE=3D2>Subject: Re: [security-area] Agenda Firewall Issues = BOF - GGF13</FONT> </P> <BR>
<P><FONT SIZE=3D2>Olle,</FONT> </P>
<P><FONT SIZE=3D2>One way I see that naturally merges the consideration = of Firewall and </FONT> <BR><FONT SIZE=3D2>NAT functions, is to use RFC3303 (middelbox = communication architecture and framework) as a basis to work from. The = work the IETF </FONT></P>
<P><FONT SIZE=3D2>currently pursues in this area, such as the NSIS = group, also mentions Firewalls and NAT's in the same breath. From this = perspective, </FONT></P>
<P><FONT SIZE=3D2>merging NAT's and Firewall considerations sounds a = logical idea.</FONT> </P>
<P><FONT SIZE=3D2>Thanks for clearifying the scope issue,</FONT> </P>
<P><FONT SIZE=3D2>Regards .. Leon.</FONT> </P> <BR>
<P><FONT SIZE=3D2>Olle Mulmo wrote:</FONT> </P>
<P><FONT SIZE=3D2>> Without implying that we should freeze or = postpone any current</FONT> <BR><FONT SIZE=3D2>> discussions on this topic, NATs are definitely = a discussion item at </FONT> <BR><FONT SIZE=3D2>> the BOF as well, I would say.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> I would say that in these discussions, NATs are = equally important as</FONT> <BR><FONT SIZE=3D2>> firewalls, as they both are devices that are = "in the way", meddling </FONT> <BR><FONT SIZE=3D2>> with the network traffic in ways that cause = problems for middleware </FONT> <BR><FONT SIZE=3D2>> and application developers. Identifying (and = seeking to rectify?) the </FONT> <BR><FONT SIZE=3D2>> problems that appear in Grid settings is what = this BOF is about.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> Side remark: one can claim that NATs are = (stupid) firewalls. That can</FONT> <BR><FONT SIZE=3D2>> be debated endlessly though, and I'm certain = the people that build </FONT> <BR><FONT SIZE=3D2>> "real" firewalls disagree!</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> /Olle</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> On Mar 8, 2005, at 20:10, Leon Gommans = wrote:</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>> Mike,</FONT> <BR><FONT SIZE=3D2>>></FONT> <BR><FONT SIZE=3D2>>> Thanks for raising the question. The = answer will depend on the </FONT> <BR><FONT SIZE=3D2>>> charter discussion. Anybody is welcome to = comment.</FONT> <BR><FONT SIZE=3D2>>></FONT> <BR><FONT SIZE=3D2>>> This is my personal view:</FONT> <BR><FONT SIZE=3D2>>></FONT> <BR><FONT SIZE=3D2>>> If you look for example the IETF = Middlebox work, NATs</FONT> <BR><FONT SIZE=3D2>>> were part of the charter.</FONT> <BR><FONT SIZE=3D2>>></FONT> <BR><FONT SIZE=3D2>>> An answer may also depend on the = outcome of the question</FONT> <BR><FONT SIZE=3D2>>> if this should be a Research Group or = a Working Group.</FONT> <BR><FONT SIZE=3D2>>> A WG charter needs to be very = focussed and</FONT> <BR><FONT SIZE=3D2>>> our Area Directors may prefer a = limited the scope with clearly </FONT> <BR><FONT SIZE=3D2>>> defined deliverables. The scope may = therefore be limited to </FONT> <BR><FONT SIZE=3D2>>> Firewalls. There is also a BoF that wants = to look at VPN's. A RG </FONT> <BR><FONT SIZE=3D2>>> could pursue a wider range of middlebox = services such as mentioned </FONT> <BR><FONT SIZE=3D2>>> in RFC 3303.</FONT> <BR><FONT SIZE=3D2>>> </FONT> <BR><FONT SIZE=3D2>>> Kind regards .. Leon Gommans.</FONT> <BR><FONT SIZE=3D2>>></FONT> <BR><FONT SIZE=3D2>>> </FONT> <BR><FONT SIZE=3D2>>></FONT> <BR><FONT SIZE=3D2>>> Mike 'Mike' Jones wrote:</FONT> <BR><FONT SIZE=3D2>>></FONT> <BR><FONT SIZE=3D2>>> Would it be useful to discuss NAT at the = same time as firewalls?</FONT> <BR><FONT SIZE=3D2>>></FONT> <BR><FONT SIZE=3D2>>> I think NAT raises some issues that are = similar to firewalls. I'm</FONT> <BR><FONT SIZE=3D2>>> coming</FONT> <BR><FONT SIZE=3D2>>> from an AFS in globus2 based grids = perspective and have also seen </FONT> <BR><FONT SIZE=3D2>>> clashes</FONT> <BR><FONT SIZE=3D2>>> between globus-IO and NAT.</FONT> <BR><FONT SIZE=3D2>>></FONT> <BR><FONT SIZE=3D2>>> I'm afraid I'm not able to goto Korea to = stick my hand up and ask the </FONT> <BR><FONT SIZE=3D2>>> question there, sorry!</FONT> <BR><FONT SIZE=3D2>>></FONT> <BR><FONT SIZE=3D2>>> Cheers,</FONT> <BR><FONT SIZE=3D2>>> Mike</FONT> <BR><FONT SIZE=3D2>>></FONT> <BR><FONT SIZE=3D2>>> On Tue, 8 Mar 2005, Mike Helm wrote:</FONT> <BR><FONT SIZE=3D2>>></FONT> <BR><FONT SIZE=3D2>>></FONT> <BR><FONT SIZE=3D2>>> LG, can you put me on the agenda? I'd = like to mention</FONT> <BR><FONT SIZE=3D2>>> 3 things (provided the material all shows = up :^) that</FONT> <BR><FONT SIZE=3D2>>> might be of interest: some MPLS work at = ESnet, a PNNL localhost-based </FONT> <BR><FONT SIZE=3D2>>> firewall solution that should be grid = friendly, and an interesting </FONT> <BR><FONT SIZE=3D2>>> use-case from Fusion Grid (some have seen = this, at last GGF).</FONT> <BR><FONT SIZE=3D2>>></FONT> <BR><FONT SIZE=3D2>>> Thanks, =3D=3Dmwh</FONT> <BR><FONT SIZE=3D2>>> Michael Helm</FONT> <BR><FONT SIZE=3D2>>> ESnet/LBNL</FONT> <BR><FONT SIZE=3D2>>></FONT> <BR><FONT SIZE=3D2>>></FONT> <BR><FONT SIZE=3D2>>></FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>></FONT> </P>
</BODY> </HTML> ------_=_NextPart_001_01C52864.CB3191D2--
participants (1)
-
Dane Skow