[100603] in North American Network Operators' Group
Re: IPv6 firewall support
daemon@ATHENA.MIT.EDU (Randy Bush)
Sun Oct 28 23:57:41 2007
Date: Mon, 29 Oct 2007 12:56:38 +0900
From: Randy Bush <randy@psg.com>
To: Mark Prior <mrp@mrp.net>
CC: Nanog <nanog@nanog.org>
In-Reply-To: <47255462.5020903@mrp.net>
Errors-To: owner-nanog@merit.edu
trolls can blather on, and of course will. but for the best work to
date on this subject, see dave piscitello's preso from arin,
<http://www.arin.net/meetings/minutes/ARIN_XX/PDF/thursday/Firewalls_Piscitello.pdf>.
Mark Prior wrote:
> If you need IPv6 then don't believe the vendor propaganda, test the
> box and then prepare to complain to the vendor :)
there is a too lightly spoken problem under this, a lack of good test
suites, environments, platforms for ipv6. this serious gap extends from
routers' control and data planes, to security products, to the myriad of
applications. so the vendors can say pretty much anything, and it's
very hard to actually learn the reality until it fails in your network.
of course, if you have not been prone to testing in ipv4, this will not
be a major change for you. :)
randy
