Firewall Wizards mailing list archives
Re: IPv6 support in firewalls
From: "Patrick M. Hausen" <hausen () punkt de>
Date: Thu, 23 Aug 2007 22:14:43 +0200
Hi, wizards, On Thu, Aug 23, 2007 at 02:42:03PM -0400, Dave Piscitello wrote:
Marcus, a proposal nearly identical to what you suggest was one of the first presented at the IETF in the mid-1990s. At the time, the intelligentiaTF poo-pooed it as not being sufficiently forward-looking and innovative. It didn't consider 64-bit alignment. It didn't *fix* options. It didn't *fix* QOS. It didn't accommodate IP security in a "native" manner. Happily, time wounds all heels. Over a decade later, and we've bent, twisted, tunneled, re-mapped, stretched, and NAT'd IPv4 until it does everything IPv6 promised - and now, all IPv6 brings to the table is a bigger field for addresses and an ungainly, unwanted and arguably unwarrantable transition scenario.
IPv6 brings back the end-to-end principle and NAT its well-deserved death. This alone should be enough reason to go for it. And I don't see what should be paticularly more difficult to implement in an IPv6 based application level gateway than in an IPv4 based one. Terminate both connections in a proxy process instead of messing with headers. Simple and effective. OK, honestly, I cannot write an "IPv6" firewall on a jug of beer and I don't claim I could. But some vendors got it mostly right for IPv4 simply by using transparent proxy processes instead of "deep adaptive whatever inspection". And a TCP connection carrying HTTP is a TCP connection carrying HTTP regardless of the layer 3 protocol. I expect the few remaining ALG vendors to be the first to have proper IPv6 capable solutions for this simple architectural reason. Kind regards, Patrick M. Hausen Leiter Netzwerke und Sicherheit -- punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 info () punkt de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: IPv6 support in firewalls, (continued)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 22)
- Re: IPv6 support in firewalls Shahin Ansari (Aug 22)
- Re: IPv6 support in firewalls Dave Piscitello (Aug 23)
- Re: IPv6 support in firewalls Mohit Sharma (Aug 23)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 23)
- Re: IPv6 support in firewalls Darren Reed (Aug 22)
- Message not available
- Re: IPv6 support in firewalls Darren Reed (Aug 23)
- Re: IPv6 support in firewalls Shahin Ansari (Aug 23)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 22)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 23)
- ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 23)
- Re: IPv6 support in firewalls Patrick M. Hausen (Aug 23)
- ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 23)
- Re: ***SPAM*** Re: IPv6 support in firewalls ArkanoiD (Aug 24)
- Re: ***SPAM*** Re: IPv6 support in firewalls Patrick M. Hausen (Aug 27)
- Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
- Re: IPv6 support in firewalls ArkanoiD (Aug 27)
- Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
- Re: IPv6 support in firewalls Paul D. Robertson (Aug 27)
- Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
- Re: IPv6 support in firewalls Paul D. Robertson (Aug 27)
- Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)