Requirements for IPv6 Firewalls

TheIpv6guy . cb.list6 at
Sat Apr 19 02:10:44 UTC 2014

On Fri, Apr 18, 2014 at 6:53 PM, Dobbins, Roland <rdobbins at> wrote:
> On Apr 19, 2014, at 1:20 AM, William Herrin <bill at> wrote:
>> There isn't much a firewall can do to break it.
> As someone who sees firewalls break the Internet all the time for those whose packets have the misfortune to traverse one, I must respectfully disagree.
> ;>

Yep.  I have seen many more security / availability events caused by a
firewall tipping over than anything else.  Firewalls tend to be put in
as single points of failure so that there is one point of inspection /
policy enforcement.  And, HA pairs are generally a joke.  2 failure
mode i have seen:  Firewall ALG saw a SIP packet option that it did
not like, so it reloaded itself.  In the process, it reflected the
session state with fatal information to it's HA mate, which
immediately failed.  Same story with SYN floods, too many sessions
coming in, FW cannot keep up with figuring out what is good, what is
bad... Kablamoo.  The firewall is the weakest link in the chain.

Oh, and, then there is this... where the firewall, which is the one
point of security control is in fact an open tap to your entire

But, it leads to clever things like this where home routers get
hijacked as proxies...for whatever ...

I think stateful network based firewalls are more harm than good and I
would like host and applications to be the ultimate front line of
defense.  To each their own.  Just a data point.



> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at> // <>
>           Luck is the residue of opportunity and design.
>                        -- John Milton

More information about the NANOG mailing list