Firewall Wizards mailing list archives
Re: IPv6
From: Dave Piscitello <dave () corecom com>
Date: Thu, 06 Jan 2011 09:43:33 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Darren, The problem is much bigger than a mandate of this kind can solve. Mandates typically have a flag day or deployment horizon and there's at least an implication that the technology will be available to make the change. I have 2 different vendor firewalls here. Neither supports IPv6. One treats DNS EDNS0 packets as malformed and blocks them and that's a problem not only for AAAA records but DNSSEC as well. Few vendors have as complete a set of attack signatures for IPv6 as they do for IPv4. Many access ISPs don't offer IPv6 but using tunneling services like Hurricane Electric are simple, educational, and entertaining but I'm not sure they are the right or scalable solution. Last time I checked, only a handful of the top 100 web sites had AAAA records associated with them. And honestly, what percentage of IT out there could renumber and properly route IPv6 if you asked them to do so today. Let's be honest, if we were to post an IPv6 quiz on this list, how many would pass? Few organizations can deploy security measures for IPv6 today that are equivalent to what they have today with IPv4 across the board. And so far as I can tell from surveys and inquiries, (1) very few people are willing to make this trade off and (2) vendors are unwilling to implement IPv6 in this lame economy without a strong indication that they'll get a return on investment from the effort. If ever the phrase "living on borrowed time" applied to the Internet, it might be now. Many organizations are approaching a time when they may have to accept a weaker security deployment in order to add systems because they won't be able to obtain IPv4 addresses. On 1/4/2011 1:18 AM, Darren Reed wrote:
Paul D. Robertson wrote:Is anyone doing anything interesting with v6 and firewalls? We're supposedly coming up on the year that v6 will break out, and most organizations I know still don't even route it.There needs to be more noise and a lot of it from the DoD and other US government departments saying that they won't do any future business from anyone without an IPv6 reachable website before anyone will even begin to take it seriously... I'm trying to push it internally, but sleeping giants move slowly... Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJNJdUVAAoJEDa3DI8IpP3/K3cH/0sA+RVPiTzGc6hZ31/zJ/zw iIER9HvWQRZ9kj6D2REfYf2oWVnKSkQHAv+QHGxHAD4MYIY2g9X8qly6hJJkm8hQ e9KsAYqipSHgtX0+pMRMAhZ995LmI3bBvVlcHgQYJ5eQ92iadCA7Ihpo3qJbEEfM f8Kzf6By4OfSfZax+iBSBAqfezDqLEWeLpn2nx9IwPuEeu2x+VYLS9H5QlJmke+E ey636zj+xbEjDj03zhelgV4kGnHU6cTCmBi3Nwdg7z16jUldz1kXJ9Ww7d1cR7oL fDOZtUNPLQeW7AnQJGjhdoTcTOmBrCMwasze85kVSliGFKcSFbRIzUHjxqjzB5s= =1lec -----END PGP SIGNATURE-----
Attachment:
dave.vcf
Description:
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards