Requirements for IPv6 Firewalls
Fernando Gont
fernando at gont.com.ar
Thu Apr 17 16:15:22 UTC 2014
Hi, William!
Thanks so much for your feedback! One meta comment: this document is an
Internet-Draft, not an RFC. It's just the second version (-01) we have
published... so it's not meant to be there. The reason for posting the
I-D here was so that I could get your input as early in the production
of this document as possible.
Comments in-line....
On 04/17/2014 12:51 PM, William Herrin wrote:
>
> The feedback I would offer is this: You missed. By a lot.
>
> For one thing, many of the requirements are vague, like REQ APP-20.
> I've mitigated spam by allowing the operator to configure static
> packet filters for the bad guy's netblock, right? Requirements "must"
> be precise. Where you can't make it precise, drop it to a "should."
Ok, will expand REQ APP-20...
> And why is spam mitigation a firewall requirement in the first place?
> Traditionally that's handled by a specialty appliance, largely because
> it's such a moving target.
>
> Also, I note your draft is entitled "Requirements for IPv6 Enterprise
> Firewalls." Frankly, no "enterprise" firewall will be taken seriously
> without address-overloaded NAT.
Just double-checking: you're referring to NAT where the same address is
mployed for multiple hosts in the local network, and where the
transport-protocol port needs to be re-written by the NAT device?
(i.e., a NAT-PT)
> I realize that's a controversial
> statement in the IPv6 world but until you get past it you're basically
> wasting your time on a document which won't be useful to industry.
That's certainly controversial in the IPv6 world, but I have no problem
with that. This sort of input (even much better if more people weigh) in
is exactly what we're looking for. Such that when we apply the
corresponding changes, and folks from other circles complain about them,
I can point them to this sort of discussion.
Thanks!
Best regards,
--
Fernando Gont
e-mail: fernando at gont.com.ar || fgont at si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
More information about the NANOG
mailing list