nanog mailing list archives
Re: Requirements for IPv6 Firewalls
From: George Herbert <george.herbert () gmail com>
Date: Thu, 17 Apr 2014 13:45:59 -0700
On Thu, Apr 17, 2014 at 11:32 AM, Eugeniu Patrascu <eugen () imacandi net>wrote:
... It's a bigger risk to think that NAT somehow magically protects you against stuff on the Internet. Also, if your problem is that someone can screw up firewalls rules, then you have bigger issue in your organization than IPv6.
There's a fair argument to be made which says that kind of NAT isunhealthy. If its proponents are correct, they'll win that argument later on with NAT-incompatible technology that enterprises want. After all, enterprise security folk didn't want the Internet in the corporate network at all, but having a web browser on every desk is just too darn useful. Where they won't win that argument is in the stretch of maximum risk for the enterprise security folk.Any technology has associated risks, it's a matter of how you reduce/mitigate them. This paranoia thingie about IPv6 is getting a bit old. Just because you don't (seem to) understand how it works, it doesn't mean no one else should use it.
You are missing the point. Granted, anyone who is IPv6 aware doing a green-field enterprise firewall design today should probably choose another way than NAT. What you are failing is that "redesign firewall rules and approach from scratch along with the IPv6 implementation" usually is not the chosen path, versus "re-implement the same v4 firewall rules and technologies in IPv6 for the IPv6 implementation", because all the IPv6 aware net admins are having too much to do dealing with all the other conversion issues, vendor readiness all across the stack, etc. Variations on this theme are part of why it's 2014 and IPv6 hasn't already taken over the world. The more rabid IPv6 proponents have in fact shot the transition in the legs repeatedly, and those of us who have been on the front lines would like you all to please shut up and get out of the way so we can actually finish effecting v6 deployment and move on to mopping up things like NAT later. This is why listening to operators is important. -- -george william herbert george.herbert () gmail com
Current thread:
- Re: Requirements for IPv6 Firewalls, (continued)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 17)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 17)
- Re: Requirements for IPv6 Firewalls Fernando Gont (Apr 17)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 17)
- Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 17)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 17)
- Re: Requirements for IPv6 Firewalls Valdis . Kletnieks (Apr 17)
- Re: Requirements for IPv6 Firewalls Timothy Morizot (Apr 17)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 17)
- Re: Requirements for IPv6 Firewalls Seth Mos (Apr 17)
- Re: Requirements for IPv6 Firewalls Fernando Gont (Apr 17)
- Re: Requirements for IPv6 Firewalls George Herbert (Apr 17)
- Re: Requirements for IPv6 Firewalls Matthew Kaufman (Apr 17)
- Re: Requirements for IPv6 Firewalls Mark Andrews (Apr 17)
- Re: Requirements for IPv6 Firewalls Fernando Gont (Apr 17)
- Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 18)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
- Re: Requirements for IPv6 Firewalls Timothy Morizot (Apr 18)
- Re: Requirements for IPv6 Firewalls Mike Hale (Apr 18)
- Re: Requirements for IPv6 Firewalls Simon Perreault (Apr 18)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
- Re: Requirements for IPv6 Firewalls Simon Perreault (Apr 18)