Re: Requirements for IPv6 Firewalls

[Doug Barton <dougb () dougbarton us>]

On 04/18/2014 07:58 PM, Enno Rey wrote:
> Hi,
>
> On Fri, Apr 18, 2014 at 11:59:04AM -0700, Doug Barton wrote:
> > On 04/18/2014 12:57 AM, Enno Rey wrote:
> > > I fully second Sander's input. I've been involved in IPv6 planning in a number of very large enterprises now and_none_  of them 
> > > required/asked for (66/overloading) NAT for their firewall environments. A few think about very specific deployments of NPTv6 like stuff 
> > > for connections to supplier/partner networks (to map those to their own address space) but these are corner cases not even relevant for 
> > > their "firewalls".
> >
> > How many of those networks were implementing with IPv6 PI space?
>
> all of them

Et Voila!

>   My
> > experience has been that those customers are not interested in IPv6 NAT,
> > but instead utilize network segmentation to define "internal" vs.
> > "external."
> >
> > OTOH, customers for whom PI space is not realistic (for whatever
> > reasons, and yes there are reasons) are very interested in the
> > combination of ULA + NTPv6 to handle internal resources without having
> > to worry about renumbering down the road.
>
> true. it's just we don't see many of those (actually I've yet to encounter a single one) and it could be debatable if they belong 
> to "Enterprise" networks (which is in the title of the ID).

If the draft wants to define "enterprise network" as "big enough and 
technically capable enough to warrant PI space" I wouldn't necessarily 
object, but the business customers I work with who aren't, might.

Doug