Re: Requirements for IPv6 Firewalls

[George Herbert <george.herbert () gmail com>]

On Fri, Apr 18, 2014 at 10:15 AM, Timothy Morizot <tmorizot () gmail com>wrote:

> On Apr 18, 2014 10:04 AM, "William Herrin" <bill () herrin us> wrote:
> > That's correct: you don't understand. Until you do, just accept: there
> > are more than a few folks who want to, intend to and will use NAT for
> > IPv6. They will wait until NAT is available in their preferred
> > products before making any significant deployment efforts.
>
> Actually, the few like you will hold off until they are behind the curve,
> then scramble to catch up. Good luck with that strategy!


Again.  You're speaking down to William as if he's not IPv6 aware, which is
wrong, and ascribing to him misunderstandings and resistance that he (and
I) are trying to communicate to explain why customers in real life are
lagging so badly.

The reason the IPv6 market penetration is so poor right now is because of
antagonistic attitudes like this when actual implementers in the field try
to feed back what the actual, real objections are that are slowing things
down.  "That shouldn't happen," is not acceptable as a response to an
actual user saying "No, not until I get NAT.".

If William and I fight that fight, lose it, and come back and tell you
"They won't go because insufficient NAT" you need to listen.  I've fought
this in a dozen places and lost 8 of them, not because I don't know v6, but
because the clients have inertia and politics around security posture
changes (and in some cases, PCI compliance regs).


-- 
-george william herbert
george.herbert () gmail com