Access to the IPv4 net for IPv6-only systems, was: Re: WG Action: Conclusion of IP Version 6 (ipv6)

• Previous message (by thread): Access to the IPv4 net for IPv6-only systems, was: Re: WG Action: Conclusion of IP Version 6 (ipv6)
• Next message (by thread): Access to the IPv4 net for IPv6-only systems, was: Re: WG Action: Conclusion of IP Version 6 (ipv6)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 09:13 AM 10/2/2007, Iljitsch van Beijnum wrote:


>On 2-okt-2007, at 15:05, Adrian Chadd wrote:
>
>>Please explain how you plan on getting rid of those protocol-aware
>>plugins
>>when IPv6 is widely deployed in environments with -stateful
>>firewalls-.
>
>You just open up a hole in the firewall where appropriate.

It might help if you understood why deep packet inspection firewalls 
exist. If it were as easy as opening holes and trusting hosts, Cisco 
would not have a market for its PIX/ASA products, SonicWALL wouldn't 
exist, Juniper wouldn't have bought NetScreen, and so forth. The 
reality is end hosts are not sufficiently secure. Network security is 
built in layers. Sure, you use whatever you can in the hosts, but you 
don't trust it.

Microsoft has had some spectacular holes that impacted even 
uninfected hosts (by DDoS) such as CodeRed. And this isn't a knock on 
Microsoft. There've been security issues with most systems at one 
point or another. Trusting end systems is insufficient.

Site security policies are often far more complex than can be 
addressed by the servers to be protected, and involve VPN access, 
time-of-day rulesets, attack signature analysis and the like.


>You can have an ALG, the application or the OS do this. As you
>probably know by now, I don't favor the ALG approach.

That's great that you don't favor it, but firewalls with stateful 
inspection can and do look deep into packets to figure out if the 
packets are legitimate. These devices sell, because they help. This, 
like NAT, is something that came about because of need. IPv6 does not 
remove the need for firewalls. Arguably because of the volume of 
relatively untested software involved on the hosts, firewalls will be 
quite important.


>>End-to-end-ness is and has been "busted" in the corporate world AFAICT
>>for a number of years. IPv6 "people" seem to think that simply
>>providing
>>globally unique addressing to all endpoints will remove NAT and all
>>associated trouble. Guess what - it probably won't.
>
>If you don't want end-to-end, be a man (or woman) and use a proxy.
>Don't tell the applications they they are connected to the rest of
>the world and then pull the rug from under them. This works in IPv4
>today but don't expect this to carry over to IPv6. At least not
>without a long, bloody fight.

So I'm sure you've explained to the firewall vendors they should be 
selling proxy boxes instead, and they've listened to you. Sorry the 
market has dictated solutions you don't like. Time to move on, and 
stop fighting a battle that's been lost. 

• Previous message (by thread): Access to the IPv4 net for IPv6-only systems, was: Re: WG Action: Conclusion of IP Version 6 (ipv6)
• Next message (by thread): Access to the IPv4 net for IPv6-only systems, was: Re: WG Action: Conclusion of IP Version 6 (ipv6)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]