nanog mailing list archives

Re: Requirements for IPv6 Firewalls

From: Fernando Gont <fernando () gont com ar>
Date: Thu, 17 Apr 2014 13:15:22 -0300

Hi, William!

Thanks so much for your feedback! One meta comment: this document is an
Internet-Draft, not an RFC. It's just the second version (-01) we have
published... so it's not meant to be there. The reason for posting the
I-D here was so that I could get your input as early in the production
of this document as possible.

Comments in-line....

On 04/17/2014 12:51 PM, William Herrin wrote:


The feedback I would offer is this: You missed. By a lot.

For one thing, many of the requirements are vague, like REQ APP-20.
I've mitigated spam by allowing the operator to configure static
packet filters for the bad guy's netblock, right? Requirements "must"
be precise. Where you can't make it precise, drop it to a "should."


Ok, will expand REQ APP-20...

And why is spam mitigation a firewall requirement in the first place?
Traditionally that's handled by a specialty appliance, largely because
it's such a moving target.

Also, I note your draft is entitled "Requirements for IPv6 Enterprise
Firewalls." Frankly, no "enterprise" firewall will be taken seriously
without address-overloaded NAT.


Just double-checking: you're referring to NAT where the same address is
mployed for multiple hosts in the local network, and where the
transport-protocol port needs to be re-written by the NAT device?
(i.e., a NAT-PT)

I realize that's a controversial
statement in the IPv6 world but until you get past it you're basically
wasting your time on a document which won't be useful to industry.


That's certainly controversial in the IPv6 world, but I have no problem
with that. This sort of input (even much better if more people weigh) in
is exactly what we're looking for. Such that when we apply the
corresponding changes, and folks from other circles complain about them,
I can point them to this sort of discussion.

Thanks!

Best regards,
-- 
Fernando Gont
e-mail: fernando () gont com ar || fgont () si6networks com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

Current thread:

Requirements for IPv6 Firewalls Fernando Gont (Apr 17)
- RE: Requirements for IPv6 Firewalls Dustin Jurman (Apr 17)
  - Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 17)
    - Re: Requirements for IPv6 Firewalls David Newman (Apr 17)
    - Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 17)
    - Re: Requirements for IPv6 Firewalls Fernando Gont (Apr 17)
    - RE: Requirements for IPv6 Firewalls Dustin Jurman (Apr 17)
    - Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 17)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 17)
  - Re: Requirements for IPv6 Firewalls Fernando Gont (Apr 17)
    - Re: Requirements for IPv6 Firewalls William Herrin (Apr 17)
    - Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 17)
    - Re: Requirements for IPv6 Firewalls William Herrin (Apr 17)
    - Re: Requirements for IPv6 Firewalls Valdis . Kletnieks (Apr 17)
    - Re: Requirements for IPv6 Firewalls Timothy Morizot (Apr 17)
    - Re: Requirements for IPv6 Firewalls William Herrin (Apr 17)
    - Re: Requirements for IPv6 Firewalls Seth Mos (Apr 17)
    - Re: Requirements for IPv6 Firewalls George Herbert (Apr 17)
    - Re: Requirements for IPv6 Firewalls Matthew Kaufman (Apr 17)
    - Re: Requirements for IPv6 Firewalls Mark Andrews (Apr 17)

(Thread continues...)