Minutes of the 2011-11-02 IAB Teleconference (Techchat and Business Meeting)
- Bernard Aboba (IAB Chair)
- Ross Callon
- Alissa Cooper
- Spencer Dawkins
- Lars Eggert (IRTF Chair)
- Joel Halpern
- David Kessens
- Olaf Kolkman
- Danny McPherson
- Cindy Morgan (IAB Executive Assistant)
- Jon Peterson
- Andrei Robachevsky
- Dow Street (IAB Executive Director)
- Dave Thaler
- Hannes Tschofenig
- Sean Turner (IESG Liaison)
- Mat Ford (ISOC Liaison)
- Russ Housley (IETF Chair)
- Stuart Cheshire
2. Techchat: Firewalls
Dave Thaler and Stuart Cheshire led the board in a discussion on firewalls, starting from the premise that:
Traditionally, firewalls have been about arming customers to protect against badly written apps and services.
Stuart pointed out that there is a common misconception that firewalls protect users from malware, when in fact firewalls protect users from buggy software. There is concern that firewalls give users a false sense of security; firewalls are not invulnerable and will not prevent malware from running if the user allows it.
Dave presented slides that define a firewall as “something that blocks unwanted traffic,” but pointed out that different entities (end users, application developers, network administrators, host administrators, firewall developers) have different views on what traffic is unwanted. Each of those entities may desire to either allow or block traffic, and they express those desires via firewall rules.
Dave proposed that there are two categories of firewall rules: attack surface reduction rules, which prevent an application from doing things the developer does not want it to do; and security policy rules, which prevent an application from doing things the developer wants it to do but an administrator does not. Attack surface reduction rules are designed to mitigate against code injection threats; in consumer-level firewalls, this is done by blocking or allowing ports. Stuart noted that the typical end-user does not have the privileges to add allow rules to a firewall.
When consumers run into problems between software and their firewall, they have a few choices:
- Fix (or ask the vendor to fix) the software.
- Firewall vendors would argue that it is easier to update firewall rules than it is to update application software.
- Some application may not have update support or may no longer be available.
- Do not use the software.
- This begs the question whether a buggy application can still do something useful when firewalled, e.g. single-player versus multi-player games.
- Run the software with the firewall, which may prevent it from working properly.
- This still consumes resources such as memory, CPU, bandwidth, and port space.
- This can lead to bad user experiences.
The board discussed the potential for future IETF and IAB work on firewalls. Danny noted that parts of this topic may be covered in the upcoming Software Driven Networks (SDN) BOF at IETF 82. The board discussed whether there should be some I* action related to educating people on firewalls, and Danny agreed to take the topic to the IP Evolution Initiative for a recommendation. Stuart noted that the term “firewall” is very broad, and that one way the IAB could contribute is in coming up with a clearer taxonomy defining firewalls.
3. IAB Business Meeting
3.1. Executive Director direction – decision
The board discussed options for the IAB Executive Director role, including editing the job description to remove administrative and system administrator tasks. Dow indicated that he would work with Cindy to identify administrative tasks that can be transitioned. The board will continue to discuss this topic via email.
3.2. Next steps on RSSAC liaison
The board agreed to appoint Peter Koch as the new liaison to RSSAC pending his acceptance of the appointment. Bernard will follow up with Peter directly.
3.3. Next steps on Anycast document
Dave Thaler will review the current version of draft-iab-anycast-arch-implications to see if his most recent comments were addressed.