RE: draft-cohen-http-ext-postal-00.txt

From: Josh Cohen (joshco@microsoft.com)
Date: Tue, Feb 24 1998


Message-ID: <8B57882C41A0D1118F7100805F9F68B507850D@red-msg-45.dns.microsoft.com>
From: Josh Cohen <joshco@microsoft.com>
To: "'David W. Morris'" <dwm@xpasc.com>
Cc: koen@win.tue.nl, ietf-http-ext@w3.org, rdebry@us.ibm.com
Date: Tue, 24 Feb 1998 13:58:52 -0800
Subject: RE: draft-cohen-http-ext-postal-00.txt

your point is valid, and a good argument can be
made that the cat is out of the bag, through the door
and out into the woods.

However, as a former firewall admin, my fear is
that now, if the trend that IPP begins 
(introducing new functionality in POST which is
radically different than what the admin expected when
 he/she decided to allow POST across his firewall)
continues that admins will have to keep up on the 
latest and greatest to actively block new protocols.
This is in opposition to having to be active and keep
up with the latest and greatest to "allow" new protocols.

I wish we could get a better sample of firewall 
admins to give their opinions on this issue.

Will you be at LA?  (and roger too), I'd really
like to have an open discussion on this.


> -----Original Message-----
> From: David W. Morris [mailto:dwm@xpasc.com]
> Sent: Tuesday, February 24, 1998 1:41 PM
> To: Josh Cohen
> Cc: koen@win.tue.nl; ietf-http-ext@w3.org; rdebry@us.ibm.com
> Subject: RE: draft-cohen-http-ext-postal-00.txt
> 
> 
> 
> 
> On Mon, 23 Feb 1998, Josh Cohen wrote:
> 
> > > -----Original Message-----
> > > From: koen@win.tue.nl [mailto:koen@win.tue.nl]
> > > Sent: Monday, February 23, 1998 9:31 AM
> > > [...] 
> > If this was 1 year from now and all http based applications
> > were firmly in using POST, I would be more willing to 'taint'
> 
> The cat is FIRMLY out of the bag ... at this stage I find it a waste
> of effort to preclude a new 'formal' use of HTTP from using POST when
> the same kind of function is being built around the world every day
> sending the same kinds of data using POST.
> 
> > > I could not disagree more.  I feel that there are many 
> cases in which
> > > it would be quite legitimate for the IETF to decide that, for a
> > > certain protocol, the default mode should be that `the average
> > > liberally configured firewall' accepts the protocol.
> > > 
> > [.. snip ..]
> > I disagree, however, I can accept that this is an issue
> > which experts can disagree on.
> > Folks who find firewalls an unwelcome restriction on communications
> > will likely feel that the protocol designers can rightfully choose
> > which new functionality is 'safe' to pass through firewalls without
> > operator intervention.
> 
> Beyond being able to define how a firewall might filter a particular
> kind of traffic, I think it would be a waste of time for the IETF
> to stipulate the default behavior of an HTTP application within
> a firewall. The providers of firewall software will provide the
> default behaviors they feel appropriate based on their expertise as
> firewall software engineers. Most experts I've read favor deny all
> -- allow selected ... the actual software I've used and studied
> can work in either the deny/allow mode or allow-all/deny-selected
> mode depending on the local security policy. 
> 
> As Koen has already pointed out, any organization looking at the
> content of the HTTP data stream has much more to worry about and at
> a much higher level of detail than the HTTP method will discern.
> 
> Filtering IPP globally by method won't be useful for the vast 
> majority ... mostly because all the other similar ways for data
> to escape using POST/File-upload, FTP, etc. which filters have to
> be written for anyway. Of much more interest will be the host
> receiving the request, etc.
> 
> Dave Morris
>