nanog mailing list archives

Re: Requirements for IPv6 Firewalls

From: William Herrin <bill () herrin us>
Date: Thu, 17 Apr 2014 11:51:50 -0400

On Thu, Apr 17, 2014 at 6:30 AM, Fernando Gont <fernando () gont com ar> wrote:

A few months ago we published an IETF I-D with requirements for IPv6
firewalls.

Based on the feedback received since then, we've published a revision of
the I-D:
<http://www.ietf.org/internet-drafts/draft-gont-opsec-ipv6-firewall-reqs-01.txt>


Hi Fernando,

The feedback I would offer is this: You missed. By a lot.

For one thing, many of the requirements are vague, like REQ APP-20.
I've mitigated spam by allowing the operator to configure static
packet filters for the bad guy's netblock, right? Requirements "must"
be precise. Where you can't make it precise, drop it to a "should."

And why is spam mitigation a firewall requirement in the first place?
Traditionally that's handled by a specialty appliance, largely because
it's such a moving target.

Also, I note your draft is entitled "Requirements for IPv6 Enterprise
Firewalls." Frankly, no "enterprise" firewall will be taken seriously
without address-overloaded NAT. I realize that's a controversial
statement in the IPv6 world but until you get past it you're basically
wasting your time on a document which won't be useful to industry.

Take it back to the drawing board. You're not there yet.

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin () dirtside com  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

Current thread:

Requirements for IPv6 Firewalls Fernando Gont (Apr 17)
- RE: Requirements for IPv6 Firewalls Dustin Jurman (Apr 17)
  - Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 17)
    - Re: Requirements for IPv6 Firewalls David Newman (Apr 17)
    - Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 17)
    - Re: Requirements for IPv6 Firewalls Fernando Gont (Apr 17)
    - RE: Requirements for IPv6 Firewalls Dustin Jurman (Apr 17)
    - Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 17)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 17)
  - Re: Requirements for IPv6 Firewalls Fernando Gont (Apr 17)
    - Re: Requirements for IPv6 Firewalls William Herrin (Apr 17)
    - Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 17)
    - Re: Requirements for IPv6 Firewalls William Herrin (Apr 17)
    - Re: Requirements for IPv6 Firewalls Valdis . Kletnieks (Apr 17)
    - Re: Requirements for IPv6 Firewalls Timothy Morizot (Apr 17)
    - Re: Requirements for IPv6 Firewalls William Herrin (Apr 17)
    - Re: Requirements for IPv6 Firewalls Seth Mos (Apr 17)
    - Re: Requirements for IPv6 Firewalls George Herbert (Apr 17)
    - Re: Requirements for IPv6 Firewalls Matthew Kaufman (Apr 17)

(Thread continues...)