Consumer Grade - IPV6 Enabled Router Firewalls.

Owen DeLong owen at delong.com
Mon Dec 14 03:08:36 CST 2009


> I really am honestly sick of people thinking IPv6 is a panacea.  It  
> isn't. UPnP is rather a bit of a hack for sure, protocols should be  
> better designed, but in this modern age of Peer To Peer you need a  
> way for applications to ask the firewall to selectively open  
> incoming ports.
>
>
If the addresses of your gaming machines are no longer dynamic and  
their ports are no longer getting dynamically
remapped, why do you need that instead of a way to tell the firewall  
that X machine is allowed to receive
packets on Y ports from Z hostlist (where X,Z can be wildcarded, and,  
Y can be some form of list, range, or
list of ranges)?

No, IPv6 is not a panacea.  However, IPv6 does eliminate the need for  
rapidly changing addresses on hosts that
need to accept inbound connections, which makes it possible to define  
policy for those hosts rather than
just trusting unauthenticated arbitrary applications to amend your  
security policy at your border.

UPnP is the firewall equivalent of having US CBP admit any person who  
has someone in the US say that
they should be admitted.  While I do support some level of immigration  
reform and more open borders than
has been the trend of late, even I would not go that far.

Owen





More information about the NANOG mailing list