Consumer Grade - IPV6 Enabled Router Firewalls.
Mohacsi Janos
mohacsi at niif.hu
Sat Dec 12 06:55:15 UTC 2009
On Fri, 11 Dec 2009, Roger Marquis wrote:
> Joe Greco wrote:
>> Everyone knows a NAT gateway isn't really a firewall, except more or less
>> accidentally. There's no good way to provide a hardware firewall in an
>> average residential environment that is not a disaster waiting to happen.
>
> Gotta love it. A proven technology, successfully implemented on millions
> of residential firewalls "isn't really a firewall, but rather "a disaster
> waiting to happen". Make you wonder what disaster and when exactly it's
> going to happen?
>
> Simon Perreault wrote:
>> We have thus come to the conclusion that there shouldn't be a
>> NAT-like firewall in IPv6 home routers.
>
> And that, in a nutshell, is why IPv6 is not going to become widely
> feasible any time soon.
>
> Whether or not there should be NAT in IPv6 is a purely rhetorical
> argument. The markets have spoken, and they demand NAT.
>
> Is there a natophobe in the house who thinks there shouldn't be stateful
> inspection in IPv6? If not then could you explain what overhead NAT
> requires that stateful inspection hasn't already taken care of?
>
> Far from the issue some try to make it out to be, NAT is really just a
> component of stateful inspection. If you're going to implement
> statefulness there is no technical downside to implementing NAT as well.
> No downside, plenty of upsides, no brainer...
Nobodoy thinks that statefull firewall is not necessary for IPv6. If you
want to particiapte the discussion then comment the IETF v6ops document:
http://www.ietf.org/id/draft-ietf-v6ops-cpe-simple-security-08.txt
Best Regards,
Janos Mohacsi
More information about the NANOG
mailing list