RE: misunderstanding scale

["Naslund, Steve" <SNaslund () medline com>]

If they have a stateful IPv6 firewall (which they should and which most firewall vendors support), they already have 
what they need to prevent their internal systems from being accessible from the outside.  If you are an enterprise and 
you don't have a stateful firewall, you are in trouble from a security standpoint whether you run v4 or v6.  If you 
cannot configure a stateful firewall to block connections being initiated from outside, you are not qualified to be 
working with the firewall, v4 or v6 does not matter.  If someone is relying on NAT in case their firewall is 
misconfigured, they have major issues with security.

In the home, I am not sure what the major issue is there either.  How many CPE devices have you seen that do not 
implement basic firewall functionality?  People may not use them correctly but that is no more an issue with v6 than it 
is with v4.  Most CPE even comes out of the box blocking inbound connections by default.

Steve


-----Original Message-----
From: Mark Tinka [mailto:mark.tinka () seacom mu] 
Sent: Monday, March 24, 2014 11:35 AM
To: Timothy Morizot
Cc: NANOG list
Subject: Re: misunderstanding scale


> > Don't disagree with you there.

> > I'm saying many an enterprise (small and large) as well as homes operate this way. There is a lot of unlearning to do.

> > The whole issue is that a number of enterprises "may" only feel safe if IPv6 comes with NAT66, probably on top (or 
> > not on top) of a stateful IPv6 firewall.

> > We need to think about how to re-train the enterprise, if we don't want to repeat the erasure of the end-to-end 
> > model, second time around.

> > Mark.