nanog mailing list archives
Re: Requirements for IPv6 Firewalls
From: Fernando Gont <fernando () gont com ar>
Date: Mon, 21 Apr 2014 06:03:55 -0300
Hi, Brandon, On 04/17/2014 08:20 PM, Brandon Ross wrote:
On Thu, 17 Apr 2014, Sander Steffann wrote:Also, I note your draft is entitled "Requirements for IPv6 Enterprise Firewalls." Frankly, no "enterprise" firewall will be taken seriously without address-overloaded NAT. I realize that's a controversial statement in the IPv6 world but until you get past it you're basically wasting your time on a document which won't be useful to industry.I disagree. While there certainly will be organisations that want such a 'feature' it is certainly not a requirement for every (I hope most, but I might be optimistic) enterprises.And I not only agree with Sander, but would also argue for a definitive statement in a document like this SPECIFICALLY to help educate the enterprise networking community on how to implement a secure border for IPv6 without the need for NAT. Having a document to point at that has been blessed by the IETF/community is key to helping recover the end-to-end principle. Such a document may or may not be totally in scope for a "firewall" document, but should talk about concepts like default-deny inbound traffic, stateful inspection and the use of address space that is not announced to the Internet and/or is completely blocked at borders for all traffic.
Are you argung against of e.g. "default-deny inbound traffic"? Thanks, -- Fernando Gont e-mail: fernando () gont com ar || fgont () si6networks com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
Current thread:
- Thank you Comcast, (continued)
- Thank you Comcast Michael T. Voity (Apr 17)
- Re: Thank you Comcast Mehmet Akcin (Apr 17)
- Re: Thank you Comcast Doug Barton (Apr 17)
- Re: Requirements for IPv6 Firewalls Brandon Ross (Apr 17)
- Re: Requirements for IPv6 Firewalls Matthew Kaufman (Apr 17)
- Re: Requirements for IPv6 Firewalls Matt Palmer (Apr 18)
- Re: Requirements for IPv6 Firewalls Seth Mos (Apr 18)
- Re: Requirements for IPv6 Firewalls Enno Rey (Apr 18)
- Re: Requirements for IPv6 Firewalls Nick Hilliard (Apr 18)
- Re: Requirements for IPv6 Firewalls Lee Howard (Apr 18)
- Re: Requirements for IPv6 Firewalls Fernando Gont (Apr 21)
- Re: Requirements for IPv6 Firewalls Brandon Ross (Apr 21)
- Re: Requirements for IPv6 Firewalls Enno Rey (Apr 18)
- Re: Requirements for IPv6 Firewalls Doug Barton (Apr 18)
- Re: Requirements for IPv6 Firewalls Enno Rey (Apr 18)
- Re: Requirements for IPv6 Firewalls Doug Barton (Apr 19)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)