Requirements for IPv6 Firewalls

George Herbert george.herbert at
Mon Apr 21 18:58:12 UTC 2014

On Mon, Apr 21, 2014 at 9:32 AM, Lee Howard <Lee at> wrote:
> You're describing best practice.  Yes, of course, you should have well
> documented technical and business needs for what's open and what's closed
> in firewalls, and should have traceability from the rules in place to the
> requirements, and be able to walk the rules and understand them and
> reinterpret them from v4 to v6, to a new firewall vendor, etc etc.
> Yes.  Any publicly-traded company will have this because their auditors
> require it.
> I would think that companies without this documentation are probably not
> ready to deploy a new protocol.
> I concede that tracing the rules to the requirements is a hard one in
> practice (and a PITA in operational practice), but I don't think it's
> required to be able to map IPv4 rules to IPv6 rules.
You would think that any publicly-traded or sufficiently large or high
profile company would have that because their auditors should require that.
 Yes, that's a reasonable assertion and hope.

I regret to inform the discussion that it's a forlorn hope in a number of
actual real world organizations.

> I'm not making noise to be remembered on the lists as a pissed off
troublemaker.  I've been doing enterprise IT consulting since the early
1990s, and am relaying what the state of reality is, and attempting to get
people at various levels to deal with that rather than assume higher levels
of competence than are really out there...

-george william herbert
george.herbert at

More information about the NANOG mailing list