Requirements for IPv6 Firewalls

• Previous message (by thread): Requirements for IPv6 Firewalls
• Next message (by thread): Requirements for IPv6 Firewalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Le 2014-04-18 14:20, William Herrin a écrit :
> On Fri, Apr 18, 2014 at 2:06 PM, Simon Perreault <simon at per.reau.lt> wrote:
>> IMHO, what the IETF can do is recommend a set of behavioural traits that
>> make IPv6 firewalls behave like good citizens in the Internet ecosystem.
>> Meaning that a firewall that obeys those requirements will not break the
>> Internet. For example, passing ICMPv6 Too Big messages is important to
>> not break the Internet.
> 
> That would either be a very short document or a document so
> ideologically loaded that it has no technical utility. The Internet is
> pretty resilient. There isn't much a firewall can do to break it.

In IETF we routinely use the phrase "breaking the Internet" to mean
something rather more limited than "breaking all of the Internet". There
are tons of things firewalls can do, and some do today, that would be
considered breaking the Internet.

FYI, we had a similar document targeted at CGNs:

http://tools.ietf.org/html/rfc6888

>From the abstract:

   This document describes behavior that is required of those multi-
   subscriber NATs for interoperability.  It is not an IETF endorsement
   of CGNs or a real specification for CGNs; rather, it is just a
   minimal set of requirements that will increase the likelihood of
   applications working across CGNs.

That is exactly the kind of requirements I am thinking of when I say
"not breaking the Internet". Still, there were a few "feature shopping
list" requirements that crept into that RFC. It's far from perfect.

Simon

• Previous message (by thread): Requirements for IPv6 Firewalls
• Next message (by thread): Requirements for IPv6 Firewalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]