While you're at it, the document can explain to admins who have been burned, often more than once, by the pain of re-numbering internal services at static addresses how IPv6 without NAT will magically solve this problem.
Matthew Kaufman (Sent from my iPhone) > On Apr 17, 2014, at 4:20 PM, Brandon Ross <br...@pobox.com> wrote: > > On Thu, 17 Apr 2014, Sander Steffann wrote: > >>> Also, I note your draft is entitled "Requirements for IPv6 Enterprise >>> Firewalls." Frankly, no "enterprise" firewall will be taken seriously >>> without address-overloaded NAT. I realize that's a controversial >>> statement in the IPv6 world but until you get past it you're basically >>> wasting your time on a document which won't be useful to industry. >> >> I disagree. While there certainly will be organisations that want such a >> 'feature' it is certainly not a requirement for every (I hope most, but I >> might be optimistic) enterprises. > > And I not only agree with Sander, but would also argue for a definitive > statement in a document like this SPECIFICALLY to help educate the enterprise > networking community on how to implement a secure border for IPv6 without the > need for NAT. Having a document to point at that has been blessed by the > IETF/community is key to helping recover the end-to-end principle. Such a > document may or may not be totally in scope for a "firewall" document, but > should talk about concepts like default-deny inbound traffic, stateful > inspection and the use of address space that is not announced to the Internet > and/or is completely blocked at borders for all traffic. > > Heck, we could even make it less specific to IPv6 and create a document that > describes these concepts and show how NAT is not necessary nor wise for IPv4, > either. (Yes, yes, other than address conservation.) > > -- > Brandon Ross Yahoo & AIM: BrandonNRoss > +1-404-635-6667 ICQ: 2269442 > Skype: brandonross > Schedule a meeting: http://www.doodle.com/bross >
