[171083] in North American Network Operators' Group
Re: Requirements for IPv6 Firewalls
daemon@ATHENA.MIT.EDU (Brandon Ross)
Thu Apr 17 19:21:24 2014
Date: Thu, 17 Apr 2014 19:20:53 -0400 (EDT)
From: Brandon Ross <bross@pobox.com>
To: Sander Steffann <sander@steffann.nl>
In-Reply-To: <6EA825F3-C229-4BE6-801C-5B272AE65ACA@steffann.nl>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, 17 Apr 2014, Sander Steffann wrote:
>> Also, I note your draft is entitled "Requirements for IPv6 Enterprise
>> Firewalls." Frankly, no "enterprise" firewall will be taken seriously
>> without address-overloaded NAT. I realize that's a controversial
>> statement in the IPv6 world but until you get past it you're basically
>> wasting your time on a document which won't be useful to industry.
>
> I disagree. While there certainly will be organisations that want such a
> 'feature' it is certainly not a requirement for every (I hope most, but
> I might be optimistic) enterprises.
And I not only agree with Sander, but would also argue for a definitive
statement in a document like this SPECIFICALLY to help educate the
enterprise networking community on how to implement a secure border for
IPv6 without the need for NAT. Having a document to point at that has
been blessed by the IETF/community is key to helping recover the
end-to-end principle. Such a document may or may not be totally in scope
for a "firewall" document, but should talk about concepts like
default-deny inbound traffic, stateful inspection and the use of address
space that is not announced to the Internet and/or is completely blocked
at borders for all traffic.
Heck, we could even make it less specific to IPv6 and create a document
that describes these concepts and show how NAT is not necessary nor wise
for IPv4, either. (Yes, yes, other than address conservation.)
--
Brandon Ross Yahoo & AIM: BrandonNRoss
+1-404-635-6667 ICQ: 2269442
Skype: brandonross
Schedule a meeting: http://www.doodle.com/bross
