nanog mailing list archives
Re: Requirements for IPv6 Firewalls
From: Simon Perreault <simon () per reau lt>
Date: Fri, 18 Apr 2014 14:32:47 -0400
Le 2014-04-18 14:20, William Herrin a écrit :
On Fri, Apr 18, 2014 at 2:06 PM, Simon Perreault <simon () per reau lt> wrote:IMHO, what the IETF can do is recommend a set of behavioural traits that make IPv6 firewalls behave like good citizens in the Internet ecosystem. Meaning that a firewall that obeys those requirements will not break the Internet. For example, passing ICMPv6 Too Big messages is important to not break the Internet.That would either be a very short document or a document so ideologically loaded that it has no technical utility. The Internet is pretty resilient. There isn't much a firewall can do to break it.
In IETF we routinely use the phrase "breaking the Internet" to mean something rather more limited than "breaking all of the Internet". There are tons of things firewalls can do, and some do today, that would be considered breaking the Internet. FYI, we had a similar document targeted at CGNs: http://tools.ietf.org/html/rfc6888
From the abstract:
This document describes behavior that is required of those multi- subscriber NATs for interoperability. It is not an IETF endorsement of CGNs or a real specification for CGNs; rather, it is just a minimal set of requirements that will increase the likelihood of applications working across CGNs. That is exactly the kind of requirements I am thinking of when I say "not breaking the Internet". Still, there were a few "feature shopping list" requirements that crept into that RFC. It's far from perfect. Simon
Current thread:
- Re: Requirements for IPv6 Firewalls, (continued)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
- Re: Requirements for IPv6 Firewalls Timothy Morizot (Apr 18)
- Re: Requirements for IPv6 Firewalls Mike Hale (Apr 18)
- Re: Requirements for IPv6 Firewalls Simon Perreault (Apr 18)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
- Re: Requirements for IPv6 Firewalls Simon Perreault (Apr 18)
- Re: Requirements for IPv6 Firewalls Mike Hale (Apr 18)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
- Re: Requirements for IPv6 Firewalls Simon Perreault (Apr 18)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
- Re: Requirements for IPv6 Firewalls Simon Perreault (Apr 18)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
- Re: Requirements for IPv6 Firewalls Simon Perreault (Apr 18)
- Re: Requirements for IPv6 Firewalls Jim Clausing (Apr 18)
- Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 18)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 18)
- Re: Requirements for IPv6 Firewalls Jeff Kell (Apr 18)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 18)
- Re: Requirements for IPv6 Firewalls Jeff Kell (Apr 18)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 18)
- Re: Requirements for IPv6 Firewalls George William Herbert (Apr 19)