Requirements for IPv6 Firewalls

• Previous message (by thread): Requirements for IPv6 Firewalls
• Next message (by thread): Requirements for IPv6 Firewalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Apr 17, 2014 at 6:30 AM, Fernando Gont <fernando at gont.com.ar> wrote:
> A few months ago we published an IETF I-D with requirements for IPv6
> firewalls.
>
> Based on the feedback received since then, we've published a revision of
> the I-D:
> <http://www.ietf.org/internet-drafts/draft-gont-opsec-ipv6-firewall-reqs-01.txt>

Hi Fernando,

The feedback I would offer is this: You missed. By a lot.

For one thing, many of the requirements are vague, like REQ APP-20.
I've mitigated spam by allowing the operator to configure static
packet filters for the bad guy's netblock, right? Requirements "must"
be precise. Where you can't make it precise, drop it to a "should."

And why is spam mitigation a firewall requirement in the first place?
Traditionally that's handled by a specialty appliance, largely because
it's such a moving target.

Also, I note your draft is entitled "Requirements for IPv6 Enterprise
Firewalls." Frankly, no "enterprise" firewall will be taken seriously
without address-overloaded NAT. I realize that's a controversial
statement in the IPv6 world but until you get past it you're basically
wasting your time on a document which won't be useful to industry.

Take it back to the drawing board. You're not there yet.

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

• Previous message (by thread): Requirements for IPv6 Firewalls
• Next message (by thread): Requirements for IPv6 Firewalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]