Requirements for IPv6 Firewalls

• Previous message (by thread): Requirements for IPv6 Firewalls
• Next message (by thread): Requirements for IPv6 Firewalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Apr 17, 2014 at 11:45 PM, George Herbert
<george.herbert at gmail.com>wrote:

>
>
>
> On Thu, Apr 17, 2014 at 11:32 AM, Eugeniu Patrascu <eugen at imacandi.net>wrote:
>
>> ...
>> It's a bigger risk to think that NAT somehow magically protects you
>> against
>> stuff on the Internet.
>> Also, if your problem is that someone can screw up firewalls rules, then
>> you have bigger issue in your organization than IPv6.
>
>
>
>> There's a fair argument to be made which says that kind of NAT is
>> > unhealthy. If its proponents are correct, they'll win that argument
>> > later on with NAT-incompatible technology that enterprises want. After
>> > all, enterprise security folk didn't want the Internet in the
>> > corporate network at all, but having a web browser on every desk is
>> > just too darn useful. Where they won't win that argument is in the
>> > stretch of maximum risk for the enterprise security folk.
>> >
>> >
>> Any technology has associated risks, it's a matter of how you
>> reduce/mitigate them.
>> This paranoia thingie about IPv6 is getting a bit old.
>> Just because you don't (seem to) understand how it works, it doesn't mean
>> no one else should use it.
>
>
>
> You are missing the point.
>

> Granted, anyone who is IPv6 aware doing a green-field enterprise firewall
> design today should probably choose another way than NAT.
>
>
That's why you have gazzilions of IP addresses in IPv6, so you don't need
to NAT anything (among other things). I don't understand why people cling
to NAT stuff when you can just route.



> What you are failing is that "redesign firewall rules and approach from
> scratch along with the IPv6 implementation" usually is not the chosen path,
> versus "re-implement the same v4 firewall rules and technologies in IPv6
> for the IPv6 implementation", because all the IPv6 aware net admins are
> having too much to do dealing with all the other conversion issues, vendor
> readiness all across the stack, etc.
>
>
You treat IPv6 like the only protocol running and design the implementation
taking that into consideration. Where necessary you publish AAAA records
and so only devices/services that are IPv6 aware will be accessed over
IPv6, all others can stay on IPv4 until they are migrated. It works
wonderful.

This idea of matching IPv4 1:1 to IPv6 is not the way to go.


> Variations on this theme are part of why it's 2014 and IPv6 hasn't already
> taken over the world.  The more rabid IPv6 proponents have in fact shot the
> transition in the legs repeatedly, and those of us who have been on the
> front lines would like you all to please shut up and get out of the way so
> we can actually finish effecting v6 deployment and move on to mopping up
> things like NAT later.
>


I don't get this paragraph. From my perspective, if you want IPv6 you can
do it. From all the organizations I get in contact and ask about IPv6 is
the lack of knowledge and interest that puts a stop to the deployment,
nothing else.

Eugeniu

• Previous message (by thread): Requirements for IPv6 Firewalls
• Next message (by thread): Requirements for IPv6 Firewalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]