misunderstanding scale

Naslund, Steve SNaslund at medline.com
Mon Mar 24 17:44:31 UTC 2014

I don't buy that one at all.  Grandma does not care or know about ipv4 or ipv6.  When the ipv4 CPE gets installed it blocks inbound connections by default, why would ipv6 be any different?  Windows firewall if she is relying on that should not have any problems with v6 than it does with v4.  I am also pretty sure that grandma does not care that NAT is present or not.  In fact, grandma's cell phone might already using v6.

If the equipment does not work right out of the box, that is the equipment supplier or service provider problem.  Do you really believe that most people deploying home gateways understand ipv4, NAT, or stateful firewalls?  No, they plug it in and the defaults should work for them.  It might require an engineering degree (or reading) to understand how IPv6 works however grandma does not need to know how IPv6 works or even how a network works.  She plugs in the CPE, plugs in her PC and off you go.  The smart people on this list are to ones that need to know how is works.  If we can't make the customer experience transparent to them, then bad on us.


-----Original Message-----
From: Curtis Maurand [mailto:cmaurand at xyonet.com] 
Sent: Monday, March 24, 2014 12:34 PM
To: Naslund, Steve
Subject: Re: misunderstanding scale

On 3/24/2014 12:53 PM, Naslund, Steve wrote:
> If they have a stateful IPv6 firewall (which they should and which most firewall vendors support), they already have what they need to prevent their internal systems from being accessible from the outside.  If you are an enterprise and you don't have a stateful firewall, you are in trouble from a security standpoint whether you run v4 or v6.  If you cannot configure a stateful firewall to block connections being initiated from outside, you are not qualified to be working with the firewall, v4 or v6 does not matter.  If someone is relying on NAT in case their firewall is misconfigured, they have major issues with security.
> In the home, I am not sure what the major issue is there either.  How many CPE devices have you seen that do not implement basic firewall functionality?  People may not use them correctly but that is no more an issue with v6 than it is with v4.  Most CPE even comes out of the box blocking inbound connections by default.
But grandma doesn't have the ability to deploy a statefull firewall at her house.  She doesn't even understand what statefull means putting up a NAT firewall on an IPv4 network is simple and it's easy.  It provides adequate protection of one's internal network from the outside.  You plug them in and they work.  IPv6 just about requires an engineering degree to understand it.  Nobody thought about simplicity with it.

More information about the NANOG mailing list