OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

openc2-actuator message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Firewall Profile: ip-addr target type

QUESTION: 
In the context of the ip-addr target type for the den and allow actions, should we 
Not include it as a valid target type?
Include it as an optional target type?
Include it as a required target type? 
Please advise and in a perfect world explain why or why not

BACKGROUND: 
This particular topic has some history:  
In the stone age, (aka pre-OASIS) we had the ip-addr as a valid target for deny and allow

On the March 28 meeting, we discussed the notion that the ip-addr seemed to be a special case of the ip-connection target type.  One could get the same effect by using the ip-connection and not populate the port and next protocol fields.   IN the interest of avoiding multiple means to convey the same command, I requested that we remove ip-addr as a valid target type.  

During the period of March 28 to April 11, I received email comments and was advised that we need to have the ip-addr as a required target type.  Some of the comments I received are: 
" I think the common case is you just want it blocked, you don't care about the details...  you would have to make two calls to do that which would be counterintuitive "
Another comment was " Blocking an IP seems to me to be something that is easy to understand and probably implement for a packet filter or firewall. Directionally blocking is more of a feature of a stateful firewall... I just dont know how a packet filter service would know exactly what to do with the command. "

On the April 11 APSC teleconference, I received guidance to remove the ip-addr.  

To me, it appears that the conflicting guidance is due to different base assumptions. If the stateless packet filters out there are limited to blocking (or allowing) based on the ip address and do not need other data, then ip-addr is the logical required target type.  If the stateless packet filters out there accommodate five-tuples, then the ip-connection is the logical required target type.  Can we discuss this here or on slack and let me know which way to go?

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]