[171178] in North American Network Operators' Group
Re: Requirements for IPv6 Firewalls
daemon@ATHENA.MIT.EDU (Fernando Gont)
Mon Apr 21 05:30:04 2014
Date: Mon, 21 Apr 2014 06:03:55 -0300
From: Fernando Gont <fernando@gont.com.ar>
To: Brandon Ross <bross@pobox.com>, Sander Steffann <sander@steffann.nl>
In-Reply-To: <alpine.OSX.2.02.1404171914320.648@brugal.local>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi, Brandon,
On 04/17/2014 08:20 PM, Brandon Ross wrote:
> On Thu, 17 Apr 2014, Sander Steffann wrote:
>
>>> Also, I note your draft is entitled "Requirements for IPv6 Enterprise
>>> Firewalls." Frankly, no "enterprise" firewall will be taken seriously
>>> without address-overloaded NAT. I realize that's a controversial
>>> statement in the IPv6 world but until you get past it you're basically
>>> wasting your time on a document which won't be useful to industry.
>>
>> I disagree. While there certainly will be organisations that want such
>> a 'feature' it is certainly not a requirement for every (I hope most,
>> but I might be optimistic) enterprises.
>
> And I not only agree with Sander, but would also argue for a definitive
> statement in a document like this SPECIFICALLY to help educate the
> enterprise networking community on how to implement a secure border for
> IPv6 without the need for NAT. Having a document to point at that has
> been blessed by the IETF/community is key to helping recover the
> end-to-end principle. Such a document may or may not be totally in
> scope for a "firewall" document, but should talk about concepts like
> default-deny inbound traffic, stateful inspection and the use of address
> space that is not announced to the Internet and/or is completely blocked
> at borders for all traffic.
Are you argung against of e.g. "default-deny inbound traffic"?
Thanks,
--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
