Consumer Grade - IPV6 Enabled Router Firewalls.

Mohacsi Janos mohacsi at niif.hu
Sat Dec 12 06:55:15 UTC 2009




On Fri, 11 Dec 2009, Roger Marquis wrote:

> Joe Greco wrote:
>> Everyone knows a NAT gateway isn't really a firewall, except more or less
>> accidentally.  There's no good way to provide a hardware firewall in an
>> average residential environment that is not a disaster waiting to happen.
>
> Gotta love it.  A proven technology, successfully implemented on millions
> of residential firewalls "isn't really a firewall, but rather "a disaster
> waiting to happen".  Make you wonder what disaster and when exactly it's
> going to happen?
>
> Simon Perreault wrote:
>> We have thus come to the conclusion that there shouldn't be a
>> NAT-like firewall in IPv6 home routers.
>
> And that, in a nutshell, is why IPv6 is not going to become widely
> feasible any time soon.
>
> Whether or not there should be NAT in IPv6 is a purely rhetorical
> argument.  The markets have spoken, and they demand NAT.
>
> Is there a natophobe in the house who thinks there shouldn't be stateful
> inspection in IPv6?  If not then could you explain what overhead NAT
> requires that stateful inspection hasn't already taken care of?
>
> Far from the issue some try to make it out to be, NAT is really just a
> component of stateful inspection.  If you're going to implement
> statefulness there is no technical downside to implementing NAT as well.
> No downside, plenty of upsides, no brainer...



Nobodoy thinks that statefull firewall is not necessary for IPv6. If you 
want to particiapte the discussion then comment the IETF v6ops document:
http://www.ietf.org/id/draft-ietf-v6ops-cpe-simple-security-08.txt

Best Regards,
 		Janos Mohacsi





More information about the NANOG mailing list