[171092] in North American Network Operators' Group
Re: Requirements for IPv6 Firewalls
daemon@ATHENA.MIT.EDU (Seth Mos)
Fri Apr 18 01:17:13 2014
From: Seth Mos <seth.mos@dds.nl>
In-Reply-To: <CAP-guGVns+TWP=2ic+PcwVJwy0QJ3CsFSKasbEGFeKkj7k3Tzw@mail.gmail.com>
Date: Fri, 18 Apr 2014 07:16:51 +0200
To: William Herrin <bill@herrin.us>
Cc: NANOG <nanog@nanog.org>,
"draft-gont-opsec-ipv6-firewall-reqs@tools.ietf.org"
<draft-gont-opsec-ipv6-firewall-reqs@tools.ietf.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Op 17 apr. 2014, om 20:50 heeft William Herrin <bill@herrin.us> het =
volgende geschreven:
> On Thu, Apr 17, 2014 at 2:32 PM, Eugeniu Patrascu <eugen@imacandi.net> =
wrote:
>> It's a bigger risk to think that NAT somehow magically protects you =
against
>> stuff on the Internet.
>=20
> You are entitled to your opinion and you are entitled to run your
> network in accordance with your opinion.
>=20
> To vendors who would sell me product, I would respectfully suggest
> that attempts to forcefully educate me as to what I *should want*
> offers neither a short nor particularly successful path to closing a
> sale.
Having deployed IPv6 at the internet point and halfway into the company =
I work for I can tell you that I am *really* glad that I can now see =
what a firewall rule does properly instead of also having to peer at the =
NAT table which is 1:1 or a port forward etc. Also, when IPv4 NAT and =
rules don=92t match up, hilarity ensues.
It greatly improves my workflow, it=92s just become a whole lot easier =
for me.
NAT66 definitely has a place, and I=92m a huge proponent for it so the =
small SMB people and home users so they can do Multi Wan without BGP. =
The part that isn=92t solved yet by the IETF, but at least there is a =
really good RFC for NPt.
In my experience it improves security because of the transparency.
For anything resembling > 100 people, get a ASN, PI and BGP. You=92ll =
thank me later, unlikely to have to renumber anything(1).
Kind regards,
Seth
(1) Yeah I know, unless you grow from a /48 to a /32
>=20
> Regards,
> Bill Herrin
>=20
>=20
> --=20
> William D. Herrin ................ herrin@dirtside.com =
bill@herrin.us09o
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004
>=20
