barns@GATEWAY.MITRE.ORG (06/24/91)
Archive-name: internet/route/draft-ietf-rreq-iprouters/1991-06-19 Archive: nnsc.nsf.net:/internet-drafts/draft-ietf-rreq-iprouters* [192.31.103.6] Original-posting-by: barns@GATEWAY.MITRE.ORG Original-subject: Re: well-behaved firewalls Reposted-by: emv@msen.com (Edward Vielmetti, MSEN) "Son of 1009" aka the Router Requirements RFC (draft) says something about this. The proposal will be different from anything now done, assuming the draft is agreed to (and that stage isn't far away now). The idea is to make a new ICMP Unreachable subtype code for generic "communication administratively prohibited". There are existing codes (documented in RFC 1122 only) for "communication with host administratively prohibited" (code 10) and "communication with network administratively prohibited" (code 9). I think I would prefer that the new code be sent for a protocol-specific firewall and probably for a host or network-wide prohibition as well. (Such was the intent of the proposal, which by the way wasn't mine. Apparently there is some fast algorithm for filtering packets that works in such a way that you can decide that something failed much quicker than you can decide why it failed. Since the router world is now benchmark-driven, the vendors want the code structure to support this way of doing things.) People with (intelligent) opinions on what routers ought to do about anything related to IP ought to be feeding their inputs to the Router Requirements Working Group. Unless something surprising occurs, the next meeting ought to be at the Atlanta IETF at end of July/beginning of August. A (hopefully fairly current) draft is available at the usual Internet-Drafts repositories including nnsc.nsf.net, in directory internet-drafts, filename draft-ietf-rreq-iprouters-01.txt. The beginning of the document has lots of info about how to contribute to its development. It would make sense for people to read the draft before commenting on what it should say. Bill Barns / MITRE-Washington / barns@gateway.mitre.org -- MSEN Archive Service file verification nnsc.nsf.net -rw-r--r-- 1 8000 guest 470702 Mar 8 00:52 /internet-drafts/draft-ietf-rreq-iprouters-01.txt found draft-ietf-rreq-iprouters ok nnsc.nsf.net:/internet-drafts/draft-ietf-rreq-iprouters*