[170136] in North American Network Operators' Group
RE: misunderstanding scale
daemon@ATHENA.MIT.EDU (Naslund, Steve)
Mon Mar 24 14:06:50 2014
From: "Naslund, Steve" <SNaslund@medline.com>
To: Curtis Maurand <cmaurand@xyonet.com>, NANOG list <nanog@nanog.org>
Date: Mon, 24 Mar 2014 17:44:31 +0000
In-Reply-To: <53306C7F.30001@xyonet.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I don't buy that one at all. Grandma does not care or know about ipv4 or i=
pv6. When the ipv4 CPE gets installed it blocks inbound connections by def=
ault, why would ipv6 be any different? Windows firewall if she is relying =
on that should not have any problems with v6 than it does with v4. I am al=
so pretty sure that grandma does not care that NAT is present or not. In f=
act, grandma's cell phone might already using v6.
If the equipment does not work right out of the box, that is the equipment =
supplier or service provider problem. Do you really believe that most peop=
le deploying home gateways understand ipv4, NAT, or stateful firewalls? No=
, they plug it in and the defaults should work for them. It might require =
an engineering degree (or reading) to understand how IPv6 works however gra=
ndma does not need to know how IPv6 works or even how a network works. She=
plugs in the CPE, plugs in her PC and off you go. The smart people on thi=
s list are to ones that need to know how is works. If we can't make the cu=
stomer experience transparent to them, then bad on us.
Steve
-----Original Message-----
From: Curtis Maurand [mailto:cmaurand@xyonet.com]=20
Sent: Monday, March 24, 2014 12:34 PM
To: Naslund, Steve
Subject: Re: misunderstanding scale
On 3/24/2014 12:53 PM, Naslund, Steve wrote:
> If they have a stateful IPv6 firewall (which they should and which most f=
irewall vendors support), they already have what they need to prevent their=
internal systems from being accessible from the outside. If you are an en=
terprise and you don't have a stateful firewall, you are in trouble from a =
security standpoint whether you run v4 or v6. If you cannot configure a st=
ateful firewall to block connections being initiated from outside, you are =
not qualified to be working with the firewall, v4 or v6 does not matter. I=
f someone is relying on NAT in case their firewall is misconfigured, they h=
ave major issues with security.
>
> In the home, I am not sure what the major issue is there either. How man=
y CPE devices have you seen that do not implement basic firewall functional=
ity? People may not use them correctly but that is no more an issue with v=
6 than it is with v4. Most CPE even comes out of the box blocking inbound =
connections by default.
>
But grandma doesn't have the ability to deploy a statefull firewall at her =
house. She doesn't even understand what statefull means putting up a NAT f=
irewall on an IPv4 network is simple and it's easy. It provides adequate p=
rotection of one's internal network from the outside. You plug them in and=
they work. IPv6 just about requires an engineering degree to understand i=
t. Nobody thought about simplicity with it.
