Requirements for IPv6 Firewalls

Lee Howard Lee at asgard.org
Fri Apr 18 22:01:24 UTC 2014


On 4/17/14 8:51 PM, "Matthew Kaufman" <matthew at matthew.at> wrote:

>While you're at it, the document can explain to admins who have been
>burned, often more than once, by the pain of re-numbering internal
>services at static addresses how IPv6 without NAT will magically solve
>this problem.


http://datatracker.ietf.org/doc/rfc6879/

This document analyzes events that cause renumbering and describes
   the current renumbering methods.  These are described in three
   categories: those applicable during network design, those applicable
   during preparation for renumbering, and those applicable during the
   renumbering operation.


Lee

>
>Matthew Kaufman
>
>(Sent from my iPhone)
>
>> On Apr 17, 2014, at 4:20 PM, Brandon Ross <bross at pobox.com> wrote:
>> 
>> On Thu, 17 Apr 2014, Sander Steffann wrote:
>> 
>>>> Also, I note your draft is entitled "Requirements for IPv6 Enterprise
>>>> Firewalls." Frankly, no "enterprise" firewall will be taken seriously
>>>> without address-overloaded NAT. I realize that's a controversial
>>>> statement in the IPv6 world but until you get past it you're basically
>>>> wasting your time on a document which won't be useful to industry.
>>> 
>>> I disagree. While there certainly will be organisations that want such
>>>a 'feature' it is certainly not a requirement for every (I hope most,
>>>but I might be optimistic) enterprises.
>> 
>> And I not only agree with Sander, but would also argue for a definitive
>>statement in a document like this SPECIFICALLY to help educate the
>>enterprise networking community on how to implement a secure border for
>>IPv6 without the need for NAT.  Having a document to point at that has
>>been blessed by the IETF/community is key to helping recover the
>>end-to-end principle.  Such a document may or may not be totally in
>>scope for a "firewall" document, but should talk about concepts like
>>default-deny inbound traffic, stateful inspection and the use of address
>>space that is not announced to the Internet and/or is completely blocked
>>at borders for all traffic.
>> 
>> Heck, we could even make it less specific to IPv6 and create a document
>>that describes these concepts and show how NAT is not necessary nor wise
>>for IPv4, either.  (Yes, yes, other than address conservation.)
>> 
>> -- 
>> Brandon Ross                                      Yahoo & AIM:
>>BrandonNRoss
>> +1-404-635-6667                                                ICQ:
>>2269442
>>                                                         Skype:
>>brandonross
>> Schedule a meeting:  http://www.doodle.com/bross
>> 
>
>






More information about the NANOG mailing list