Requirements for IPv6 Firewalls

• Previous message (by thread): Requirements for IPv6 Firewalls
• Next message (by thread): Requirements for IPv6 Firewalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From:  George Herbert <george.herbert at gmail.com>
Date:  Friday, April 18, 2014 7:11 PM
To:  Lee Howard <Lee at asgard.org>
Cc:  Eugeniu Patrascu <eugen at imacandi.net>,
"draft-gont-opsec-ipv6-firewall-reqs at tools.ietf.org"
<draft-gont-opsec-ipv6-firewall-reqs at tools.ietf.org>, "nanog at nanog.org"
<nanog at nanog.org>
Subject:  Re: Requirements for IPv6 Firewalls

> Lee Howard:
>> So, yeah, you have to give your firewall administrator time to walk
>> through the rules and figure out what they ought to be in IPv6.  Your
>> firewall administrator has been wanting to clean up the rules for the last
>> two years, anyway.
> 
> 
> The arrogance in this assertion is amazing.

What arrogance?  I think I assert that IPv6 is time-consuming.
There is no "deploy IPv6" button.

fwiw, I do have enterprise network experience.

> 
> You're describing best practice.  Yes, of course, you should have well
> documented technical and business needs for what's open and what's closed in
> firewalls, and should have traceability from the rules in place to the
> requirements, and be able to walk the rules and understand them and
> reinterpret them from v4 to v6, to a new firewall vendor, etc etc.

Yes.  Any publicly-traded company will have this because their auditors
require it.  
I would think that companies without this documentation are probably not
ready to deploy a new protocol.
I concede that tracing the rules to the requirements is a hard one in
practice (and a PITA in operational practice), but I don't think it's
required to be able to map IPv4 rules to IPv6 rules.

> 
> Again - THE INERTIA IN REAL ENTERPRISE ENVIRONMENTS SAYS OTHERWISE.

To clarify: are you asserting that IPv6 uptake in enterprises is slow, which
is a sign of inertia, and the reason is that firewalls are poorly documented
and therefore we must have IPv6 NAT?
Maybe "lack of (perceived) business need" is the reason more enterprises
don't have IPv6.

Š

> 
> Again - policy community blinders on understanding what real systems are like
> out in the world has repeatedly shot the conversion in the legs.  If you're
> going to start floating standards for this kind of stuff, then listen to
> feedback on why things are failing.

I don't agree that things are failing.
I would absolutely like to see enterprises adopt IPv6.  Maybe at this stage
enterprises with no firewall documentation are not good candidates for
dual-stack.  Those do seem to me to be the kind of clients who are likely to
blame IPv6 for any problem, and insist it be turned off before any other
troubleshooting.

Lee

• Previous message (by thread): Requirements for IPv6 Firewalls
• Next message (by thread): Requirements for IPv6 Firewalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]