[120255] in North American Network Operators' Group
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
daemon@ATHENA.MIT.EDU (Owen DeLong)
Mon Dec 14 13:07:21 2009
From: Owen DeLong <owen@delong.com>
In-Reply-To: <6DE8DE9759A7055F2980C797@[192.168.1.44]>
Date: Mon, 14 Dec 2009 01:08:36 -0800
To: Michael Loftis <mloftis@wgops.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> I really am honestly sick of people thinking IPv6 is a panacea. It
> isn't. UPnP is rather a bit of a hack for sure, protocols should be
> better designed, but in this modern age of Peer To Peer you need a
> way for applications to ask the firewall to selectively open
> incoming ports.
>
>
If the addresses of your gaming machines are no longer dynamic and
their ports are no longer getting dynamically
remapped, why do you need that instead of a way to tell the firewall
that X machine is allowed to receive
packets on Y ports from Z hostlist (where X,Z can be wildcarded, and,
Y can be some form of list, range, or
list of ranges)?
No, IPv6 is not a panacea. However, IPv6 does eliminate the need for
rapidly changing addresses on hosts that
need to accept inbound connections, which makes it possible to define
policy for those hosts rather than
just trusting unauthenticated arbitrary applications to amend your
security policy at your border.
UPnP is the firewall equivalent of having US CBP admit any person who
has someone in the US say that
they should be admitted. While I do support some level of immigration
reform and more open borders than
has been the trend of late, even I would not go that far.
Owen
