nanog mailing list archives

Re: Consumer Grade - IPV6 Enabled Router Firewalls.

From: Owen DeLong <owen () delong com>
Date: Mon, 14 Dec 2009 01:08:36 -0800

I really am honestly sick of people thinking IPv6 is a panacea. Itisn't. UPnP is rather a bit of a hack for sure, protocols should bebetter designed, but in this modern age of Peer To Peer you need away for applications to ask the firewall to selectively openincoming ports.

If the addresses of your gaming machines are no longer dynamic andtheir ports are no longer getting dynamicallyremapped, why do you need that instead of a way to tell the firewallthat X machine is allowed to receivepackets on Y ports from Z hostlist (where X,Z can be wildcarded, and,Y can be some form of list, range, or

list of ranges)?

No, IPv6 is not a panacea. However, IPv6 does eliminate the need forrapidly changing addresses on hosts thatneed to accept inbound connections, which makes it possible to definepolicy for those hosts rather thanjust trusting unauthenticated arbitrary applications to amend yoursecurity policy at your border.

UPnP is the firewall equivalent of having US CBP admit any person whohas someone in the US say thatthey should be admitted. While I do support some level of immigrationreform and more open borders than

has been the trend of late, even I would not go that far.

Owen

Current thread:

Re: Consumer Grade - IPV6 Enabled Router Firewalls., (continued)
- - - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mark Newton (Dec 11)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Simon Perreault (Dec 12)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joe Greco (Dec 11)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Simon Perreault (Dec 11)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mikael Abrahamsson (Dec 11)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mark Newton (Dec 11)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Chris Adams (Dec 11)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joe Greco (Dec 11)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joel Jaeggli (Dec 13)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Michael Loftis (Dec 13)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Owen DeLong (Dec 14)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Owen DeLong (Dec 14)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. gordon b slater (Dec 14)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Chris Adams (Dec 14)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mohacsi Janos (Dec 14)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joel Jaeggli (Dec 14)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Steven Bellovin (Dec 14)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joakim Aronius (Dec 15)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mark Newton (Dec 15)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joakim Aronius (Dec 16)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Owen DeLong (Dec 15)

(Thread continues...)