nanog mailing list archives
Re: Requirements for IPv6 Firewalls
From: Lee Howard <Lee () asgard org>
Date: Mon, 21 Apr 2014 12:32:40 -0400
From: George Herbert <george.herbert () gmail com> Date: Friday, April 18, 2014 7:11 PM To: Lee Howard <Lee () asgard org> Cc: Eugeniu Patrascu <eugen () imacandi net>, "draft-gont-opsec-ipv6-firewall-reqs () tools ietf org" <draft-gont-opsec-ipv6-firewall-reqs () tools ietf org>, "nanog () nanog org" <nanog () nanog org> Subject: Re: Requirements for IPv6 Firewalls
Lee Howard:So, yeah, you have to give your firewall administrator time to walk through the rules and figure out what they ought to be in IPv6. Your firewall administrator has been wanting to clean up the rules for the last two years, anyway.The arrogance in this assertion is amazing.
What arrogance? I think I assert that IPv6 is time-consuming. There is no "deploy IPv6" button. fwiw, I do have enterprise network experience.
You're describing best practice. Yes, of course, you should have well documented technical and business needs for what's open and what's closed in firewalls, and should have traceability from the rules in place to the requirements, and be able to walk the rules and understand them and reinterpret them from v4 to v6, to a new firewall vendor, etc etc.
Yes. Any publicly-traded company will have this because their auditors require it. I would think that companies without this documentation are probably not ready to deploy a new protocol. I concede that tracing the rules to the requirements is a hard one in practice (and a PITA in operational practice), but I don't think it's required to be able to map IPv4 rules to IPv6 rules.
Again - THE INERTIA IN REAL ENTERPRISE ENVIRONMENTS SAYS OTHERWISE.
To clarify: are you asserting that IPv6 uptake in enterprises is slow, which is a sign of inertia, and the reason is that firewalls are poorly documented and therefore we must have IPv6 NAT? Maybe "lack of (perceived) business need" is the reason more enterprises don't have IPv6.
Again - policy community blinders on understanding what real systems are like out in the world has repeatedly shot the conversion in the legs. If you're going to start floating standards for this kind of stuff, then listen to feedback on why things are failing.
I don't agree that things are failing. I would absolutely like to see enterprises adopt IPv6. Maybe at this stage enterprises with no firewall documentation are not good candidates for dual-stack. Those do seem to me to be the kind of clients who are likely to blame IPv6 for any problem, and insist it be turned off before any other troubleshooting. Lee
Current thread:
- Re: Requirements for IPv6 Firewalls, (continued)
- Re: Requirements for IPv6 Firewalls Gary Buhrmaster (Apr 18)
- Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 18)
- Re: Requirements for IPv6 Firewalls Matthew Kaufman (Apr 18)
- Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 19)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
- Re: Requirements for IPv6 Firewalls Jimmy Hess (Apr 18)
- Re: Requirements for IPv6 Firewalls Lee Howard (Apr 18)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
- Re: Requirements for IPv6 Firewalls George Herbert (Apr 18)
- Re: Requirements for IPv6 Firewalls Lee Howard (Apr 21)
- Re: Requirements for IPv6 Firewalls George Herbert (Apr 21)
- Re: Requirements for IPv6 Firewalls Brandon Ross (Apr 17)
- Re: Requirements for IPv6 Firewalls Matthew Kaufman (Apr 17)
- Re: Requirements for IPv6 Firewalls Timothy Morizot (Apr 17)
- Thank you Comcast Michael T. Voity (Apr 17)
- Re: Thank you Comcast Mehmet Akcin (Apr 17)
- Re: Thank you Comcast Doug Barton (Apr 17)