[171064] in North American Network Operators' Group
Re: Requirements for IPv6 Firewalls
daemon@ATHENA.MIT.EDU (William Herrin)
Thu Apr 17 11:52:39 2014
In-Reply-To: <534FAD41.8040604@gont.com.ar>
From: William Herrin <bill@herrin.us>
Date: Thu, 17 Apr 2014 11:51:50 -0400
To: Fernando Gont <fernando@gont.com.ar>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Apr 17, 2014 at 6:30 AM, Fernando Gont <fernando@gont.com.ar> wrote:
> A few months ago we published an IETF I-D with requirements for IPv6
> firewalls.
>
> Based on the feedback received since then, we've published a revision of
> the I-D:
> <http://www.ietf.org/internet-drafts/draft-gont-opsec-ipv6-firewall-reqs-01.txt>
Hi Fernando,
The feedback I would offer is this: You missed. By a lot.
For one thing, many of the requirements are vague, like REQ APP-20.
I've mitigated spam by allowing the operator to configure static
packet filters for the bad guy's netblock, right? Requirements "must"
be precise. Where you can't make it precise, drop it to a "should."
And why is spam mitigation a firewall requirement in the first place?
Traditionally that's handled by a specialty appliance, largely because
it's such a moving target.
Also, I note your draft is entitled "Requirements for IPv6 Enterprise
Firewalls." Frankly, no "enterprise" firewall will be taken seriously
without address-overloaded NAT. I realize that's a controversial
statement in the IPv6 world but until you get past it you're basically
wasting your time on a document which won't be useful to industry.
Take it back to the drawing board. You're not there yet.
Regards,
Bill Herrin
--
William D. Herrin ................ herrin@dirtside.com bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
