[171081] in North American Network Operators' Group
Re: Requirements for IPv6 Firewalls
daemon@ATHENA.MIT.EDU (Mark Andrews)
Thu Apr 17 18:39:02 2014
To: Matthew Kaufman <matthew@matthew.at>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Thu, 17 Apr 2014 14:48:08 -0700."
<53504C18.7050406@matthew.at>
Date: Fri, 18 Apr 2014 08:38:13 +1000
Cc: "draft-gont-opsec-ipv6-firewall-reqs@tools.ietf.org"
<draft-gont-opsec-ipv6-firewall-reqs@tools.ietf.org>, NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
In message <53504C18.7050406@matthew.at>, Matthew Kaufman writes:
> On 4/17/2014 1:45 PM, George Herbert wrote:
> > This is why listening to operators is important.
>
> Why start now? After all, most of the useful input operators could have
> provided would have been much more useful at the beginning.
>
> Matthew Kaufman
NAT from a firewall perspective is "default deny in". As far as I
can tell no one is arguing that a firewall should not support that.
Now mangling the addresses and ports is not a firewall's job. Its
never has been a firewall's job. That is what a NAT box does.
Now sometimes a NAT and Firewall are implemented in the same
hardware and people fail to make the distinction.
As for doing the same as v4 in a firewall for v6, only a idiot would
do that, as it will often break IPv6. There are rules, often
deployed in v4, that are mostly harmless to IPv4 but will totally
break IPv6.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
