[120172] in North American Network Operators' Group
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
daemon@ATHENA.MIT.EDU (Mikael Abrahamsson)
Fri Dec 11 09:10:58 2009
Date: Fri, 11 Dec 2009 15:10:05 +0100 (CET)
From: Mikael Abrahamsson <swmike@swm.pp.se>
To: Simon Perreault <simon.perreault@viagenie.ca>
In-Reply-To: <4B224BED.3070904@viagenie.ca>
Cc: nanog@nanog.org, Joe Greco <jgreco@ns.sol.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, 11 Dec 2009, Simon Perreault wrote:
> We have thus come to the conclusion that there shouldn't be a NAT-like
> firewall in IPv6 home routers.
No, the conclusion is that for IPv6 there should be something that behaves
much like current IPv4 NAT boxes, ie do stateful firewalling and only let
internal computers initiate conenctions outgoing, do protocol sniffing for
allowing incoming new connections, and use some uPNP like method to do
temporary firewall openings.
This is the social contract of the current home gateway ecosystem, and
intiially IPv6 devices need to replicate this.
Last I checked, this was the conclusion of multiple IPv6 related
IETF working groups, check out "homegate" and "v6ops" WGs for instance.
--
Mikael Abrahamsson email: swmike@swm.pp.se
