nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Consumer Grade - IPV6 Enabled Router Firewalls.

From: Mohacsi Janos <mohacsi () niif hu>
Date: Sat, 12 Dec 2009 07:55:15 +0100 (CET)



On Fri, 11 Dec 2009, Roger Marquis wrote:


Joe Greco wrote:

Everyone knows a NAT gateway isn't really a firewall, except more or less
accidentally.  There's no good way to provide a hardware firewall in an
average residential environment that is not a disaster waiting to happen.


Gotta love it.  A proven technology, successfully implemented on millions
of residential firewalls "isn't really a firewall, but rather "a disaster
waiting to happen".  Make you wonder what disaster and when exactly it's
going to happen?

Simon Perreault wrote:

We have thus come to the conclusion that there shouldn't be a
NAT-like firewall in IPv6 home routers.


And that, in a nutshell, is why IPv6 is not going to become widely
feasible any time soon.

Whether or not there should be NAT in IPv6 is a purely rhetorical
argument.  The markets have spoken, and they demand NAT.

Is there a natophobe in the house who thinks there shouldn't be stateful
inspection in IPv6?  If not then could you explain what overhead NAT
requires that stateful inspection hasn't already taken care of?

Far from the issue some try to make it out to be, NAT is really just a
component of stateful inspection.  If you're going to implement
statefulness there is no technical downside to implementing NAT as well.
No downside, plenty of upsides, no brainer...
Nobodoy thinks that statefull firewall is not necessary for IPv6. If you want to particiapte the discussion then comment the IETF v6ops document: 
http://www.ietf.org/id/draft-ietf-v6ops-cpe-simple-security-08.txt

Best Regards,
                Janos Mohacsi
Previous By Date Next
Previous By Thread Next

Current thread: