[171180] in North American Network Operators' Group
Re: Requirements for IPv6 Firewalls
daemon@ATHENA.MIT.EDU (Lee Howard)
Mon Apr 21 12:33:31 2014
Date: Mon, 21 Apr 2014 12:32:40 -0400
From: Lee Howard <Lee@asgard.org>
To: George Herbert <george.herbert@gmail.com>
In-Reply-To: <CAK__Kzv4BaA5xX2wjLux65OL2thTB0Dd4adDA_poUqccLnGNVg@mail.gmail.com>
Cc: "draft-gont-opsec-ipv6-firewall-reqs@tools.ietf.org"
<draft-gont-opsec-ipv6-firewall-reqs@tools.ietf.org>, NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
From: George Herbert <george.herbert@gmail.com>
Date: Friday, April 18, 2014 7:11 PM
To: Lee Howard <Lee@asgard.org>
Cc: Eugeniu Patrascu <eugen@imacandi.net>,
"draft-gont-opsec-ipv6-firewall-reqs@tools.ietf.org"
<draft-gont-opsec-ipv6-firewall-reqs@tools.ietf.org>, "nanog@nanog.org"
<nanog@nanog.org>
Subject: Re: Requirements for IPv6 Firewalls
> Lee Howard:
>> So, yeah, you have to give your firewall administrator time to walk
>> through the rules and figure out what they ought to be in IPv6. Your
>> firewall administrator has been wanting to clean up the rules for the la=
st
>> two years, anyway.
>=20
>=20
> The arrogance in this assertion is amazing.
What arrogance? I think I assert that IPv6 is time-consuming.
There is no "deploy IPv6" button.
fwiw, I do have enterprise network experience.
>=20
> You're describing best practice. Yes, of course, you should have well
> documented technical and business needs for what's open and what's closed=
in
> firewalls, and should have traceability from the rules in place to the
> requirements, and be able to walk the rules and understand them and
> reinterpret them from v4 to v6, to a new firewall vendor, etc etc.
Yes. Any publicly-traded company will have this because their auditors
require it. =20
I would think that companies without this documentation are probably not
ready to deploy a new protocol.
I concede that tracing the rules to the requirements is a hard one in
practice (and a PITA in operational practice), but I don't think it's
required to be able to map IPv4 rules to IPv6 rules.
>=20
> Again - THE INERTIA IN REAL ENTERPRISE ENVIRONMENTS SAYS OTHERWISE.
To clarify: are you asserting that IPv6 uptake in enterprises is slow, whic=
h
is a sign of inertia, and the reason is that firewalls are poorly documente=
d
and therefore we must have IPv6 NAT?
Maybe "lack of (perceived) business need" is the reason more enterprises
don't have IPv6.
=8A
>=20
> Again - policy community blinders on understanding what real systems are =
like
> out in the world has repeatedly shot the conversion in the legs. If you'=
re
> going to start floating standards for this kind of stuff, then listen to
> feedback on why things are failing.
I don't agree that things are failing.
I would absolutely like to see enterprises adopt IPv6. Maybe at this stage
enterprises with no firewall documentation are not good candidates for
dual-stack. Those do seem to me to be the kind of clients who are likely t=
o
blame IPv6 for any problem, and insist it be turned off before any other
troubleshooting.
Lee
