nanog mailing list archives

Re: Requirements for IPv6 Firewalls

From: Lee Howard <Lee () asgard org>
Date: Fri, 18 Apr 2014 18:01:24 -0400



On 4/17/14 8:51 PM, "Matthew Kaufman" <matthew () matthew at> wrote:

While you're at it, the document can explain to admins who have been
burned, often more than once, by the pain of re-numbering internal
services at static addresses how IPv6 without NAT will magically solve
this problem.



http://datatracker.ietf.org/doc/rfc6879/

This document analyzes events that cause renumbering and describes
   the current renumbering methods.  These are described in three
   categories: those applicable during network design, those applicable
   during preparation for renumbering, and those applicable during the
   renumbering operation.


Lee


Matthew Kaufman

(Sent from my iPhone)

On Apr 17, 2014, at 4:20 PM, Brandon Ross <bross () pobox com> wrote:

On Thu, 17 Apr 2014, Sander Steffann wrote:

Also, I note your draft is entitled "Requirements for IPv6 Enterprise
Firewalls." Frankly, no "enterprise" firewall will be taken seriously
without address-overloaded NAT. I realize that's a controversial
statement in the IPv6 world but until you get past it you're basically
wasting your time on a document which won't be useful to industry.


I disagree. While there certainly will be organisations that want such
a 'feature' it is certainly not a requirement for every (I hope most,
but I might be optimistic) enterprises.


And I not only agree with Sander, but would also argue for a definitive
statement in a document like this SPECIFICALLY to help educate the
enterprise networking community on how to implement a secure border for
IPv6 without the need for NAT.  Having a document to point at that has
been blessed by the IETF/community is key to helping recover the
end-to-end principle.  Such a document may or may not be totally in
scope for a "firewall" document, but should talk about concepts like
default-deny inbound traffic, stateful inspection and the use of address
space that is not announced to the Internet and/or is completely blocked
at borders for all traffic.

Heck, we could even make it less specific to IPv6 and create a document
that describes these concepts and show how NAT is not necessary nor wise
for IPv4, either.  (Yes, yes, other than address conservation.)

-- 
Brandon Ross                                      Yahoo & AIM:
BrandonNRoss
+1-404-635-6667                                                ICQ:
2269442
                                                        Skype:
brandonross
Schedule a meeting:  http://www.doodle.com/bross

Current thread:

Re: Requirements for IPv6 Firewalls, (continued)
- - - Re: Requirements for IPv6 Firewalls Timothy Morizot (Apr 17)
    - Thank you Comcast Michael T. Voity (Apr 17)
    - Re: Thank you Comcast Mehmet Akcin (Apr 17)
    - Re: Thank you Comcast Doug Barton (Apr 17)
    - Re: Requirements for IPv6 Firewalls Brandon Ross (Apr 17)
    - Re: Requirements for IPv6 Firewalls Matthew Kaufman (Apr 17)
    - Re: Requirements for IPv6 Firewalls Matt Palmer (Apr 18)
    - Re: Requirements for IPv6 Firewalls Seth Mos (Apr 18)
    - Re: Requirements for IPv6 Firewalls Enno Rey (Apr 18)
    - Re: Requirements for IPv6 Firewalls Nick Hilliard (Apr 18)
    - Re: Requirements for IPv6 Firewalls Lee Howard (Apr 18)
    - Re: Requirements for IPv6 Firewalls Fernando Gont (Apr 21)
    - Re: Requirements for IPv6 Firewalls Brandon Ross (Apr 21)
    - Re: Requirements for IPv6 Firewalls Enno Rey (Apr 18)
    - Re: Requirements for IPv6 Firewalls Doug Barton (Apr 18)
    - Re: Requirements for IPv6 Firewalls Enno Rey (Apr 18)
    - Re: Requirements for IPv6 Firewalls Doug Barton (Apr 19)
  - Re: Requirements for IPv6 Firewalls Lee Howard (Apr 18)
    - Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
- Re: Requirements for IPv6 Firewalls Glen Turner (Apr 18)