Hi, Brandon, On 04/17/2014 08:20 PM, Brandon Ross wrote: > On Thu, 17 Apr 2014, Sander Steffann wrote: > >>> Also, I note your draft is entitled "Requirements for IPv6 Enterprise >>> Firewalls." Frankly, no "enterprise" firewall will be taken seriously >>> without address-overloaded NAT. I realize that's a controversial >>> statement in the IPv6 world but until you get past it you're basically >>> wasting your time on a document which won't be useful to industry. >> >> I disagree. While there certainly will be organisations that want such >> a 'feature' it is certainly not a requirement for every (I hope most, >> but I might be optimistic) enterprises. > > And I not only agree with Sander, but would also argue for a definitive > statement in a document like this SPECIFICALLY to help educate the > enterprise networking community on how to implement a secure border for > IPv6 without the need for NAT. Having a document to point at that has > been blessed by the IETF/community is key to helping recover the > end-to-end principle. Such a document may or may not be totally in > scope for a "firewall" document, but should talk about concepts like > default-deny inbound traffic, stateful inspection and the use of address > space that is not announced to the Internet and/or is completely blocked > at borders for all traffic.
Are you argung against of e.g. "default-deny inbound traffic"? Thanks, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1