Firewall Wizards mailing list archives

Re: IPv6 support in firewalls

From: "Patrick M. Hausen" <hausen () punkt de>
Date: Thu, 23 Aug 2007 22:14:43 +0200

Hi, wizards,

On Thu, Aug 23, 2007 at 02:42:03PM -0400, Dave Piscitello wrote:

 Marcus, a proposal nearly identical to what you suggest was one of the first 
 presented at the IETF in the mid-1990s. At the time, the intelligentiaTF 
 poo-pooed it as not being sufficiently forward-looking and innovative. It 
 didn't consider 64-bit alignment. It didn't *fix* options. It didn't *fix* 
 QOS. It didn't accommodate IP security in a "native" manner.

 Happily, time wounds all heels. Over a decade later, and we've bent, 
 twisted, tunneled, re-mapped, stretched, and NAT'd IPv4 until it does 
 everything IPv6 promised - and now, all IPv6 brings to the table is a bigger 
 field for addresses and an ungainly, unwanted and arguably unwarrantable 
 transition scenario.


IPv6 brings back the end-to-end principle and NAT its well-deserved
death. This alone should be enough reason to go for it.

And I don't see what should be paticularly more difficult to
implement in an IPv6 based application level gateway than in
an IPv4 based one. Terminate both connections in a proxy process
instead of messing with headers. Simple and effective.

OK, honestly, I cannot write an "IPv6" firewall on a jug of beer
and I don't claim I could. But some vendors got it mostly right
for IPv4 simply by using transparent proxy processes instead
of "deep adaptive whatever inspection".

And a TCP connection carrying HTTP is a TCP connection carrying
HTTP regardless of the layer 3 protocol. I expect the few remaining
ALG vendors to be the first to have proper IPv6 capable solutions
for this simple architectural reason.

Kind regards,
Patrick M. Hausen
Leiter Netzwerke und Sicherheit
-- 
punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info () punkt de       http://www.punkt.de
Gf: Jürgen Egeling      AG Mannheim 108285
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: IPv6 support in firewalls, (continued)
- - Re: IPv6 support in firewalls Marcus J. Ranum (Aug 22)
    - Re: IPv6 support in firewalls Shahin Ansari (Aug 22)
    - Re: IPv6 support in firewalls Dave Piscitello (Aug 23)
    - Re: IPv6 support in firewalls Mohit Sharma (Aug 23)
    - Re: IPv6 support in firewalls Marcus J. Ranum (Aug 23)
    - Re: IPv6 support in firewalls Darren Reed (Aug 22)
    - Message not available
    - Re: IPv6 support in firewalls Darren Reed (Aug 23)
    - Re: IPv6 support in firewalls Shahin Ansari (Aug 23)
    - Re: IPv6 support in firewalls Marcus J. Ranum (Aug 23)
    - ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 23)
    - Re: IPv6 support in firewalls Patrick M. Hausen (Aug 23)
    - ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 23)
    - Re: ***SPAM*** Re: IPv6 support in firewalls ArkanoiD (Aug 24)
    - Re: ***SPAM*** Re: IPv6 support in firewalls Patrick M. Hausen (Aug 27)
    - Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
    - Re: IPv6 support in firewalls ArkanoiD (Aug 27)
    - Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
    - Re: IPv6 support in firewalls Paul D. Robertson (Aug 27)
    - Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
    - Re: IPv6 support in firewalls Paul D. Robertson (Aug 27)
    - Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)

(Thread continues...)