Re: Requirements for IPv6 Firewalls

On 22 Apr 2014, at 22:49, George Herbert wrote: > Any number of enterprises have chosen that if a DDOS or other advanced > attack is going to be successful, to let that be successful in bringing > down a firewall on the external shell of the security envelope rather than > having penetrated to t

Re: Requirements for IPv6 Firewalls

On 04/22/2014 01:49 PM, George Herbert wrote: As long as the various stateful firewalls and IDS systems offer hostile action detection and blocking capabilities that raw webservers lack, there are certainly counterarguments to the "port filter only" approach being advocated here. Right, but now

Re: Requirements for IPv6 Firewalls

As long as the various stateful firewalls and IDS systems offer hostile action detection and blocking capabilities that raw webservers lack, there are certainly counterarguments to the "port filter only" approach being advocated here. Focusing only on DDOS prevention from one narrow range of attac

Re: Requirements for IPv6 Firewalls

On 04/22/2014 01:15 PM, Matthew Huff wrote: I wouldn't manage a corporate network without a centrally managed firewall (stateful; or not). Matthew, No one is saying that. What Roland is saying, and the position that I agree with, is that putting a firewall in front of a system _that is inte

RE: Requirements for IPv6 Firewalls

22, 2014 3:46 PM To: Matthew Huff Cc: Brian Johnson; nanog@nanog.org Subject: Re: Requirements for IPv6 Firewalls On Tue, Apr 22, 2014 at 3:41 PM, Matthew Huff wrote: > I think some of the disconnect is the difference between a provider network > and a corporate one. > > For exam

Re: Requirements for IPv6 Firewalls

On 04/22/2014 12:18 PM, Christopher Morrow wrote: Roland's saying basically: 1) if you deploy something on 'the internet' you should secure that something 2) the securing of that 'thing' should NOT be be placing a stateful device between your users and the 'thing'. In a simple case of:

Re: Requirements for IPv6 Firewalls

put acl on upstream router like: > permit tcp any any eq 80 > deny ip any any > 3) profit > > The router + acl will process line-rate traffic without care. > > -chris > >> I hate it when threads breakdown to this type of tripe and ridiculous >

Re: Requirements for IPv6 Firewalls

ent of untruths. > > - Brian > >> -Original Message- >> From: Eric Wieling [mailto:ewiel...@nyigc.com] >> Sent: Tuesday, April 22, 2014 1:16 PM >> To: Dobbins, Roland; nanog@nanog.org >> Subject: RE: Requirements for IPv6 Firewalls >> >>

RE: Requirements for IPv6 Firewalls

age- > From: Eric Wieling [mailto:ewiel...@nyigc.com] > Sent: Tuesday, April 22, 2014 1:16 PM > To: Dobbins, Roland; nanog@nanog.org > Subject: RE: Requirements for IPv6 Firewalls > > It seems to me you are saying we should get rid of firewalls and rely on > applications net

RE: Requirements for IPv6 Firewalls

their applications. -Original Message- From: Dobbins, Roland [mailto:rdobb...@arbor.net] Sent: Saturday, April 19, 2014 12:10 AM To: nanog@nanog.org Subject: Re: Requirements for IPv6 Firewalls You can 'call' it all you like - but people who actually want to keep their serv

Re: Requirements for IPv6 Firewalls

Le 2014-04-19 06:23, Florian Weimer a écrit : >>> I agree with Bill. You can poopoo NAT all you want, but it's a fact >>> of most networks and will continue to remain so until you can make a >>> compelling case to move away from it. >> >> Does that mean all IPv6 firewalls should support NAT? > >

Re: Requirements for IPv6 Firewalls

On Mon, Apr 21, 2014 at 9:32 AM, Lee Howard wrote: > > You're describing best practice. Yes, of course, you should have well > documented technical and business needs for what's open and what's closed > in firewalls, and should have traceability from the rules in place to the > requirements, and

Re: Requirements for IPv6 Firewalls

On Mon, 21 Apr 2014 12:10:31 -0400, Lee Howard said: > "Methods used to meet the intent of this > requirement may vary depending on the specific > networking technology being used. For example, > the controls used to meet this requirement may be > different for IPv4 networks than for IPv6 networks

Re: Requirements for IPv6 Firewalls

On Mon, 21 Apr 2014, Fernando Gont wrote: Are you argung against of e.g. "default-deny inbound traffic"? Absolutely not, default deny of traffic should most certainly be one of the tools in the toolbox. -- Brandon Ross Yahoo & AIM: BrandonNRoss +1-404-6

Re: Requirements for IPv6 Firewalls

From: George Herbert Date: Friday, April 18, 2014 7:11 PM To: Lee Howard Cc: Eugeniu Patrascu , "draft-gont-opsec-ipv6-firewall-r...@tools.ietf.org" , "nanog@nanog.org" Subject: Re: Requirements for IPv6 Firewalls > Lee Howard: >> So, yeah, you have to giv

Re: Requirements for IPv6 Firewalls

On 4/18/14 10:16 PM, "Matt Palmer" wrote: >On Fri, Apr 18, 2014 at 10:04:35PM -0400, Jeff Kell wrote: >> As to address the other argument in this threat on NAT / private >> addressing, PCI requirement 1.3.8 pretty much requires RFC1918 >>addressing >> of the computers in scope... has anyone hi

Re: Requirements for IPv6 Firewalls

Hi, Brandon, On 04/17/2014 08:20 PM, Brandon Ross wrote: > On Thu, 17 Apr 2014, Sander Steffann wrote: > >>> Also, I note your draft is entitled "Requirements for IPv6 Enterprise >>> Firewalls." Frankly, no "enterprise" firewall will be taken seriously >>> without address-overloaded NAT. I realiz

Re: Requirements for IPv6 Firewalls

On Apr 20, 2014, at 10:15 PM, Seamus Ryan wrote: > It was more a friendly stab at the way DDoS mitigation providers push their > products; stateless router + ddos appliance = problem solved, throw > everything else out -

RE: Requirements for IPv6 Firewalls

>>I'm talking about stateless ACLs on hardware-based routers and switches for >>enforcing network access policies - nothing to do with Arbor. Arbor doesn't >>make routers or switches. I am aware what Arbor do, have tested the kit before and it is neat stuff. It was more a friendly stab at the

RE: Requirements for IPv6 Firewalls

d [mailto:rdobb...@arbor.net] Sent: Saturday, 19 April 2014 12:11 PM To: nanog@nanog.org Subject: Re: Requirements for IPv6 Firewalls On Apr 19, 2014, at 9:04 AM, Jeff Kell wrote: > It's how we provide access control. Firewalls <> 'access control'. Firewalls are one (general

Re: Requirements for IPv6 Firewalls

On Apr 20, 2014, at 8:52 PM, Seamus Ryan wrote: > Similarly if most of the time I just need to protect my relatively simple > network by implementing a few separate zones I will get a firewall, im not > going to deploy expensive stateless devices that can push a billion pps > everywhere and s

Re: Requirements for IPv6 Firewalls

On Apr 20, 2014, at 1:47 PM, Eugeniu Patrascu wrote: > Just go watch government at work :) Precisely. ;> --- Roland Dobbins // Luck is the residue of opportunity and design.

Re: Requirements for IPv6 Firewalls

On Sun, Apr 20, 2014 at 4:27 AM, Dobbins, Roland wrote: > > On Apr 20, 2014, at 2:32 AM, George William Herbert < > george.herb...@gmail.com> wrote: > > > I have 20-30,000 counterexamples in mind that I worked with directly in > the last decade. > > People do stupid things all the time - but gene

Re: Requirements for IPv6 Firewalls

On Apr 20, 2014, at 2:32 AM, George William Herbert wrote: > I have 20-30,000 counterexamples in mind that I worked with directly in the > last decade. People do stupid things all the time - but generally, it's hard to do them at scale. ;> --

Re: Requirements for IPv6 Firewalls

On 04/18/2014 07:58 PM, Enno Rey wrote: Hi, On Fri, Apr 18, 2014 at 11:59:04AM -0700, Doug Barton wrote: On 04/18/2014 12:57 AM, Enno Rey wrote: I fully second Sander's input. I've been involved in IPv6 planning in a number of very large enterprises now and_none_ of them required/asked for (

Re: Requirements for IPv6 Firewalls

On Apr 19, 2014, at 11:44 AM, Jimmy Hess wrote: > There is not widespread use of stateful firewall units with the > stateful element as a single point of failure in front of large public > web farms. I have 20-30,000 counterexamples in mind that I worked with directly in the last decade. An

Re: Requirements for IPv6 Firewalls

On Sat, Apr 19, 2014 at 1:08 PM, George William Herbert wrote: > On Apr 18, 2014, at 9:10 PM, "Dobbins, Roland" wrote: > I don't know where you find ideas like this. > > There are stateful firewalls in the security packages in front of all the > internet facing servers in all the major service p

Re: Requirements for IPv6 Firewalls

On 19 Apr 2014, at 20:08, George William Herbert wrote: > On Apr 18, 2014, at 9:10 PM, "Dobbins, Roland" wrote: > >> You can 'call' it all you like - but people who actually want to keep their >> servers up and running don't put stateful firewalls in front of them, > > I don't know where you

Re: Requirements for IPv6 Firewalls

Sent from Kangphone On Apr 18, 2014, at 9:10 PM, "Dobbins, Roland" wrote: > You can 'call' it all you like - but people who actually want to keep their > servers up and running don't put stateful firewalls in front of them, I don't know where you find ideas like this. There are stateful fi

Re: Requirements for IPv6 Firewalls

On Sat, Apr 19, 2014 at 2:29 PM, joel jaeggli wrote: > On 4/18/14, 7:04 PM, Jeff Kell wrote: >> PCI requirement 1.3.8 pretty much requires RFC1918 >> addressing of the computers in scope... > > It does not You are correct. In theory. However, for those organizations that have chosen to use a f

Re: Requirements for IPv6 Firewalls

On 4/18/14, 7:04 PM, Jeff Kell wrote: > PCI requirement 1.3.8 pretty much requires RFC1918 > addressing of the computers in scope... It does not 1.3.8 Do not disclose private IP addresses and routing information to unauthorized parties. Note : Methods to obscure IP addressing may include, but a

Re: Requirements for IPv6 Firewalls

* Simon Perreault: > Le 2014-04-18 13:25, Mike Hale a écrit : >> I agree with Bill. You can poopoo NAT all you want, but it's a fact >> of most networks and will continue to remain so until you can make a >> compelling case to move away from it. > > Does that mean all IPv6 firewalls should suppor

Re: Requirements for IPv6 Firewalls

On Sat, Apr 19, 2014 at 5:04 AM, Jeff Kell wrote: > On 4/18/2014 9:53 PM, Dobbins, Roland wrote: > > On Apr 19, 2014, at 1:20 AM, William Herrin wrote: > > > >> There isn't much a firewall can do to break it. > > As someone who sees firewalls break the Internet all the time for those > whose pac

Re: Requirements for IPv6 Firewalls

On Sat, Apr 19, 2014 at 2:03 AM, Matthew Kaufman wrote: > Ignoring security, A is superior because I can change it to DNAT to the > new server, or DNAT to the load balancer now that said server needs 10 > replicas, etc. > > B requires re-numbering the server or *if* I am lucky enough that it is >

Re: Requirements for IPv6 Firewalls

On 4/18/2014 11:29 PM, Jeff Kell wrote: Anyone ever pentested you? It's an enlightening experience. Jeff At a previous job, we hired a company (with CISSP-certified pentesters) to do a black box pentest of our network. Things I was "enlightened" by: - It's OK to work in a highly technical

Re: Requirements for IPv6 Firewalls

On Fri, Apr 18, 2014 at 10:02 AM, William Herrin wrote: It would appear point (5) in favor of NAT with IPv6 is the only point that has any merit there. (1) to (4) are just rationalizations. None of (1) to (4) are the reasons IPv4 got NAT, none are valid, and none are good reasons to bring NAT

Re: Requirements for IPv6 Firewalls

On Apr 19, 2014, at 10:29 AM, Jeff Kell wrote: > I call BS... You can 'call' it all you like - but people who actually want to keep their servers up and running don't put stateful firewalls in front of them, because it's very easy to knock them over due to state exhaustion. In fact, it's far

Re: Requirements for IPv6 Firewalls

On 4/18/2014 10:10 PM, Dobbins, Roland wrote: > On Apr 19, 2014, at 9:04 AM, Jeff Kell wrote: > >> It's how we provide access control. > Firewalls <> 'access control'. > > Firewalls are one (generally, very poor and grossly misused) way of providing > access control. They're often wedged in wher

Re: Requirements for IPv6 Firewalls

Hi, On Fri, Apr 18, 2014 at 11:59:04AM -0700, Doug Barton wrote: > On 04/18/2014 12:57 AM, Enno Rey wrote: > > I fully second Sander's input. I've been involved in IPv6 planning in a > > number of very large enterprises now and_none_ of them required/asked for > > (66/overloading) NAT for their

Re: Requirements for IPv6 Firewalls

On Fri, Apr 18, 2014 at 10:04:35PM -0400, Jeff Kell wrote: > As to address the other argument in this threat on NAT / private > addressing, PCI requirement 1.3.8 pretty much requires RFC1918 addressing > of the computers in scope... has anyone hinted at PCI for IPv6? 1.3.8 lists use of RFC1918 ad

Re: Requirements for IPv6 Firewalls

On Apr 19, 2014, at 9:04 AM, Jeff Kell wrote: > It's how we provide access control. Firewalls <> 'access control'. Firewalls are one (generally, very poor and grossly misused) way of providing access control. They're often wedged in where stateless ACLs in hardware-based routers and/or laye

Re: Requirements for IPv6 Firewalls

On Fri, Apr 18, 2014 at 6:53 PM, Dobbins, Roland wrote: > > On Apr 19, 2014, at 1:20 AM, William Herrin wrote: > >> There isn't much a firewall can do to break it. > > As someone who sees firewalls break the Internet all the time for those whose > packets have the misfortune to traverse one, I m

Re: Requirements for IPv6 Firewalls

On 4/18/2014 9:53 PM, Dobbins, Roland wrote: > On Apr 19, 2014, at 1:20 AM, William Herrin wrote: > >> There isn't much a firewall can do to break it. > As someone who sees firewalls break the Internet all the time for those whose > packets have the misfortune to traverse one, I must respectfully

Re: Requirements for IPv6 Firewalls

On Apr 19, 2014, at 1:20 AM, William Herrin wrote: > There isn't much a firewall can do to break it. As someone who sees firewalls break the Internet all the time for those whose packets have the misfortune to traverse one, I must respectfully disagree. ;> ---

Re: Requirements for IPv6 Firewalls

Fernando, Perhaps the document should have opened with a disclaimer that it is impossible to describe the full customer requirements for a firewall and thus a customer can reasonably add additional requirements. Then everyone knows where they stand and we avoid stupid (perhaps contractual) argu

Re: Requirements for IPv6 Firewalls

On Fri, Apr 18, 2014 at 6:10 PM, Lee Howard wrote: > On 4/17/14 11:51 AM, "William Herrin" wrote: >>Also, I note your draft is entitled "Requirements for IPv6 Enterprise >>Firewalls." Frankly, no "enterprise" firewall will be taken seriously >>without address-overloaded NAT. I realize that's a co

Re: Requirements for IPv6 Firewalls

On Fri, Apr 18, 2014 at 7:06 PM, William Herrin wrote: > On Fri, Apr 18, 2014 at 6:19 PM, Eugeniu Patrascu wrote: >> Defense in depth, to my knowledge - and feel free to correct me, is to have >> defenses at every point in the network and at the host level to protect >> against different attack v

Re: Requirements for IPv6 Firewalls

Lee Howard: > > So, yeah, you have to give your firewall administrator time to walk > through the rules and figure out what they ought to be in IPv6. Your > firewall administrator has been wanting to clean up the rules for the last > two years, anyway. The arrogance in this assertion is amazing

Re: Requirements for IPv6 Firewalls

On Fri, Apr 18, 2014 at 6:19 PM, Eugeniu Patrascu wrote: > On Fri, Apr 18, 2014 at 6:02 PM, William Herrin wrote: >> 4. Defense in depth is a core principle of all security, network and >> physical. If you don't practice it, your security is weak. Equipment >> which is not externally addressable

Re: Requirements for IPv6 Firewalls

Ignoring security, A is superior because I can change it to DNAT to the new server, or DNAT to the load balancer now that said server needs 10 replicas, etc. B requires re-numbering the server or *if* I am lucky enough that it is reached by DNS name and I can change that DNS promptly, assignin

Re: Requirements for IPv6 Firewalls

On Fri, Apr 18, 2014 at 06:37:28PM -0400, Lee Howard wrote: > On 4/18/14 4:33 PM, "George Herbert" wrote: > > > >If William and I fight that fight, lose it, and come back and tell you > >"They won't go because insufficient NAT" you need to listen. I've fought > >this in a dozen places and lost 8

Re: Requirements for IPv6 Firewalls

On Fri, Apr 18, 2014 at 6:36 PM, Lee Howard wrote: > Some operators want NAT. Some don't. There are loud voices on both > sides. Consensus seems slightly against. Hi Lee, Some operators want NAT. That's it. End of discussion. This isn't a consensus question. Some operators want NAT. Period. Fu

Re: Requirements for IPv6 Firewalls

On 4/18/14 4:33 PM, "George Herbert" wrote: > >If William and I fight that fight, lose it, and come back and tell you >"They won't go because insufficient NAT" you need to listen. I've fought >this in a dozen places and lost 8 of them, not because I don't know v6, >but >because the clients have

Re: Requirements for IPv6 Firewalls

On 4/17/14 4:45 PM, "George Herbert" wrote: > >> There's a fair argument to be made which says that kind of NAT is >> > unhealthy. If its proponents are correct, they'll win that argument >> > later on with NAT-incompatible technology that enterprises want. After >> > all, enterprise security fo

Re: Requirements for IPv6 Firewalls

On Fri, Apr 18, 2014 at 10:49 PM, Jim Clausing wrote: > And maybe I'm just dense, but ho one has been able to tell me how I > accomplish this in IPv6 without NAT, I have the requirement in certain > circumstances to transparently redirect all outbound DNS (well, on TCP or > UDP port 53) and/or SM

Re: Requirements for IPv6 Firewalls

On Fri, Apr 18, 2014 at 6:02 PM, William Herrin wrote: > On Fri, Apr 18, 2014 at 3:31 AM, Eugeniu Patrascu > wrote: > > On Thu, Apr 17, 2014 at 11:45 PM, George Herbert < > george.herb...@gmail.com> > > wrote: > >> You are missing the point. > >> > >> Granted, anyone who is IPv6 aware doing a gr

Re: Requirements for IPv6 Firewalls

On 4/17/14 11:51 AM, "William Herrin" wrote: > >Also, I note your draft is entitled "Requirements for IPv6 Enterprise >Firewalls." Frankly, no "enterprise" firewall will be taken seriously >without address-overloaded NAT. I realize that's a controversial >statement in the IPv6 world but until y

Re: Requirements for IPv6 Firewalls

On 4/17/14 8:51 PM, "Matthew Kaufman" wrote: >While you're at it, the document can explain to admins who have been >burned, often more than once, by the pain of re-numbering internal >services at static addresses how IPv6 without NAT will magically solve >this problem. http://datatracker.ietf

Re: Requirements for IPv6 Firewalls

On Fri, Apr 18, 2014 at 10:15 AM, Timothy Morizot wrote: > On Apr 18, 2014 10:04 AM, "William Herrin" wrote: > > That's correct: you don't understand. Until you do, just accept: there > > are more than a few folks who want to, intend to and will use NAT for > > IPv6. They will wait until NAT is a

Re: Requirements for IPv6 Firewalls

And maybe I'm just dense, but ho one has been able to tell me how I accomplish this in IPv6 without NAT, I have the requirement in certain circumstances to transparently redirect all outbound DNS (well, on TCP or UDP port 53) and/or SMTP (TCP ports 25 and 587) to my own servers. No, simply blo

Re: Requirements for IPv6 Firewalls

Le 2014-04-18 14:57, William Herrin a écrit : > Excluding references and remarks RFC 6888 is 8 pages long with 15 > total requirements. Short. Given the trend toward ever-fluffier RFCs, I'll take that as a compliment. :) > I'll let the firewall document's authors speak for themselves about > thei

Re: Requirements for IPv6 Firewalls

On 04/18/2014 12:57 AM, Enno Rey wrote: I fully second Sander's input. I've been involved in IPv6 planning in a number of very large enterprises now and_none_ of them required/asked for (66/overloading) NAT for their firewall environments. A few think about very specific deployments of NPTv6 l

Re: Requirements for IPv6 Firewalls

On Fri, Apr 18, 2014 at 2:32 PM, Simon Perreault wrote: > Le 2014-04-18 14:20, William Herrin a écrit : >> That would either be a very short document or a document so >> ideologically loaded that it has no technical utility. The Internet is >> pretty resilient. There isn't much a firewall can do t

Re: Requirements for IPv6 Firewalls

Le 2014-04-18 14:20, William Herrin a écrit : > On Fri, Apr 18, 2014 at 2:06 PM, Simon Perreault wrote: >> IMHO, what the IETF can do is recommend a set of behavioural traits that >> make IPv6 firewalls behave like good citizens in the Internet ecosystem. >> Meaning that a firewall that obeys thos

Re: Requirements for IPv6 Firewalls

On Fri, Apr 18, 2014 at 2:06 PM, Simon Perreault wrote: > IMHO, what the IETF can do is recommend a set of behavioural traits that > make IPv6 firewalls behave like good citizens in the Internet ecosystem. > Meaning that a firewall that obeys those requirements will not break the > Internet. For e

Re: Requirements for IPv6 Firewalls

Le 2014-04-18 14:00, William Herrin a écrit : > On Fri, Apr 18, 2014 at 1:40 PM, Simon Perreault wrote: >> Le 2014-04-18 13:35, William Herrin a écrit : >>> Your document specifies "Enterprise" firewalls. Frankly I think that's >>> wise. Consumer and enterprise users have very different needs and

Re: Requirements for IPv6 Firewalls

On Fri, Apr 18, 2014 at 3:02 PM, William Herrin wrote: > The main drivers behind the desire for NAT in IPv6 you've heard > before, but I'll repeat them for the sake of clarity: 5. Some industries (PCI compliance) *require* NAT as part of the audit-able requirements. Yes, that should get

Re: Requirements for IPv6 Firewalls

On Fri, Apr 18, 2014 at 1:40 PM, Simon Perreault wrote: > Le 2014-04-18 13:35, William Herrin a écrit : >> Your document specifies "Enterprise" firewalls. Frankly I think that's >> wise. Consumer and enterprise users have very different needs and very >> different cost points. > > Over here we hav

Re: Requirements for IPv6 Firewalls

Many enterprises probably are in the same position, but a whole lot of them aren't. Maybe this comes down to "should" versus "must". I don't think all IPv6 firewalls "must" support NAT, but they should. On Fri, Apr 18, 2014 at 10:40 AM, Simon Perreault wrote: > Le 2014-04-18 13:35, William Herr

Re: Requirements for IPv6 Firewalls

Le 2014-04-18 13:35, William Herrin a écrit : >> Does that mean all IPv6 firewalls should support NAT? >> >> Remember, we're aiming for a base set of requirements applying to all >> IPv6 firewalls. > > Your document specifies "Enterprise" firewalls. Frankly I think that's > wise. Consumer and ente

Re: Requirements for IPv6 Firewalls

On Fri, Apr 18, 2014 at 1:15 PM, Timothy Morizot wrote: > On Apr 18, 2014 10:04 AM, "William Herrin" wrote: >> That's correct: you don't understand. Until you do, just accept: there >> are more than a few folks who want to, intend to and will use NAT for >> IPv6. They will wait until NAT is avail

Re: Requirements for IPv6 Firewalls

On Fri, Apr 18, 2014 at 1:31 PM, Simon Perreault wrote: > Le 2014-04-18 13:25, Mike Hale a écrit : >> I agree with Bill. You can poopoo NAT all you want, but it's a fact >> of most networks and will continue to remain so until you can make a >> compelling case to move away from it. > > Does that

Re: Requirements for IPv6 Firewalls

Le 2014-04-18 13:25, Mike Hale a écrit : > I agree with Bill. You can poopoo NAT all you want, but it's a fact > of most networks and will continue to remain so until you can make a > compelling case to move away from it. Does that mean all IPv6 firewalls should support NAT? Remember, we're aimi

Re: Requirements for IPv6 Firewalls

Depends on your definition of "behind the curve". You could make the argument that folks who aren't IPv6 ready now are behind the curve. A weak argument considering IPv4 works perfectly fine for those of 'behind the curve'. I agree with Bill. You can poopoo NAT all you want, but it's a fact of

Re: Requirements for IPv6 Firewalls

On Apr 18, 2014 10:04 AM, "William Herrin" wrote: > That's correct: you don't understand. Until you do, just accept: there > are more than a few folks who want to, intend to and will use NAT for > IPv6. They will wait until NAT is available in their preferred > products before making any significa

Re: Requirements for IPv6 Firewalls

On Fri, Apr 18, 2014 at 3:31 AM, Eugeniu Patrascu wrote: > On Thu, Apr 17, 2014 at 11:45 PM, George Herbert > wrote: >> You are missing the point. >> >> Granted, anyone who is IPv6 aware doing a green-field enterprise firewall >> design today should probably choose another way than NAT. >> > > Th

Re: Requirements for IPv6 Firewalls

On 18/04/2014 01:51, Matthew Kaufman wrote: > While you're at it, the document can explain to admins who have been > burned, often more than once, by the pain of re-numbering internal > services at static addresses how IPv6 without NAT will magically solve > this problem. it's magic. There's no n

Re: Requirements for IPv6 Firewalls

Hi, On Fri, Apr 18, 2014 at 04:57:57PM +1000, Matt Palmer wrote: > On Thu, Apr 17, 2014 at 09:05:17PM -0500, Timothy Morizot wrote: > > On Apr 17, 2014 7:52 PM, "Matthew Kaufman" wrote: > > > While you're at it, the document can explain to admins who have been > > burned, often more than once, by

Re: Requirements for IPv6 Firewalls

Hi, On Thu, Apr 17, 2014 at 06:55:24PM +0200, Sander Steffann wrote: > Hi Bill, > > > Also, I note your draft is entitled "Requirements for IPv6 Enterprise > > Firewalls." Frankly, no "enterprise" firewall will be taken seriously > > without address-overloaded NAT. I realize that's a controversia

Re: Requirements for IPv6 Firewalls

On Thu, Apr 17, 2014 at 11:45 PM, George Herbert wrote: > > > > On Thu, Apr 17, 2014 at 11:32 AM, Eugeniu Patrascu wrote: > >> ... >> It's a bigger risk to think that NAT somehow magically protects you >> against >> stuff on the Internet. >> Also, if your problem is that someone can screw up firew

Re: Requirements for IPv6 Firewalls

On 18-4-2014 8:57, Matt Palmer wrote: > On Thu, Apr 17, 2014 at 09:05:17PM -0500, Timothy Morizot wrote: >> On Apr 17, 2014 7:52 PM, "Matthew Kaufman" wrote: >>> While you're at it, the document can explain to admins who have been >> burned, often more than once, by the pain of re-numbering intern

Re: Requirements for IPv6 Firewalls

On Thu, Apr 17, 2014 at 09:05:17PM -0500, Timothy Morizot wrote: > On Apr 17, 2014 7:52 PM, "Matthew Kaufman" wrote: > > While you're at it, the document can explain to admins who have been > burned, often more than once, by the pain of re-numbering internal services > at static addresses how IPv6

Re: Requirements for IPv6 Firewalls

Op 17 apr. 2014, om 20:50 heeft William Herrin het volgende geschreven: > On Thu, Apr 17, 2014 at 2:32 PM, Eugeniu Patrascu wrote: >> It's a bigger risk to think that NAT somehow magically protects you against >> stuff on the Internet. > > You are entitled to your opinion and you are entitled

Re: Requirements for IPv6 Firewalls

I think I got you to say "NAT" Matthew Kaufman (Sent from my iPhone) > On Apr 17, 2014, at 7:05 PM, Timothy Morizot wrote: > > > On Apr 17, 2014 7:52 PM, "Matthew Kaufman" wrote: > > > > While you're at it, the document can explain to admins who have been > > burned, often more than once, b

Re: Requirements for IPv6 Firewalls

On Thu, 17 Apr 2014, Timothy Morizot wrote: On Apr 17, 2014 7:52 PM, "Matthew Kaufman" wrote: While you're at it, the document can explain to admins who have been burned, often more than once, by the pain of re-numbering internal services at static addresses how IPv6 without NAT will magical

Re: Requirements for IPv6 Firewalls

On Apr 17, 2014 7:52 PM, "Matthew Kaufman" wrote: > > While you're at it, the document can explain to admins who have been burned, often more than once, by the pain of re-numbering internal services at static addresses how IPv6 without NAT will magically solve this problem. If you're worried abou

Re: Requirements for IPv6 Firewalls

While you're at it, the document can explain to admins who have been burned, often more than once, by the pain of re-numbering internal services at static addresses how IPv6 without NAT will magically solve this problem. Matthew Kaufman (Sent from my iPhone) > On Apr 17, 2014, at 4:20 PM, Bran

Re: Requirements for IPv6 Firewalls

On Thu, 17 Apr 2014, Sander Steffann wrote: Also, I note your draft is entitled "Requirements for IPv6 Enterprise Firewalls." Frankly, no "enterprise" firewall will be taken seriously without address-overloaded NAT. I realize that's a controversial statement in the IPv6 world but until you get p

Re: Requirements for IPv6 Firewalls

On 04/17/2014 06:48 PM, Matthew Kaufman wrote: > On 4/17/2014 1:45 PM, George Herbert wrote: >> This is why listening to operators is important. > > Why start now? After all, most of the useful input operators could have > provided would have been much more useful at the beginning. I cannot spea

Re: Requirements for IPv6 Firewalls

In message <53504c18.7050...@matthew.at>, Matthew Kaufman writes: > On 4/17/2014 1:45 PM, George Herbert wrote: > > This is why listening to operators is important. > > Why start now? After all, most of the useful input operators could have > provided would have been much more useful at the beg

Re: Requirements for IPv6 Firewalls

On 4/17/2014 1:45 PM, George Herbert wrote: This is why listening to operators is important. Why start now? After all, most of the useful input operators could have provided would have been much more useful at the beginning. Matthew Kaufman

Re: Requirements for IPv6 Firewalls

On Apr 18, 2014, at 1:04 AM, Dustin Jurman wrote: > - the approach is from an end user than service provider. The firewall > operator would be more interested in identifying PPS for attacks / > compromised hosts VS QOS but I supposed it could be used for QOS as well. > (Not my intent) So tod

Re: Requirements for IPv6 Firewalls

On Thu, Apr 17, 2014 at 11:32 AM, Eugeniu Patrascu wrote: > ... > It's a bigger risk to think that NAT somehow magically protects you against > stuff on the Internet. > Also, if your problem is that someone can screw up firewalls rules, then > you have bigger issue in your organization than IPv6.

Re: Requirements for IPv6 Firewalls

On Thu, Apr 17, 2014 at 4:04 PM, wrote: > On Thu, 17 Apr 2014 14:50:01 -0400, William Herrin said: > >> To vendors who would sell me product, I would respectfully suggest >> that attempts to forcefully educate me as to what I *should want* >> offers neither a short nor particularly successful pat

Re: Requirements for IPv6 Firewalls

On Apr 17, 2014 3:07 PM, wrote: > > On Thu, 17 Apr 2014 14:50:01 -0400, William Herrin said: > > > To vendors who would sell me product, I would respectfully suggest > > that attempts to forcefully educate me as to what I *should want* > > offers neither a short nor particularly successful path to

Re: Requirements for IPv6 Firewalls

On Thu, 17 Apr 2014 14:50:01 -0400, William Herrin said: > To vendors who would sell me product, I would respectfully suggest > that attempts to forcefully educate me as to what I *should want* > offers neither a short nor particularly successful path to closing a > sale. Which is why you reject

Re: Requirements for IPv6 Firewalls

On Thu, Apr 17, 2014 at 2:32 PM, Eugeniu Patrascu wrote: > It's a bigger risk to think that NAT somehow magically protects you against > stuff on the Internet. You are entitled to your opinion and you are entitled to run your network in accordance with your opinion. To vendors who would sell me

Re: Requirements for IPv6 Firewalls

On Thu, Apr 17, 2014 at 9:05 PM, William Herrin wrote: > > Here's the drill: From an enterprise security perspective, deploying > IPv6 is high risk. I have to re-implement every rule I set on my IPv4 > addresses all over again with my IPv6 addresses and hope I don't screw > it up in a way that le

Re: Requirements for IPv6 Firewalls

On Thu, Apr 17, 2014 at 12:15 PM, Fernando Gont wrote: > Thanks so much for your feedback! One meta comment: this document is an > Internet-Draft, not an RFC. It's just the second version (-01) we have > published... so it's not meant to be there. Hi Fernando, I apologize; my tone was out of lin

RE: Requirements for IPv6 Firewalls

l 17, 2014 8:51 AM To: NANOG Subject: Re: Requirements for IPv6 Firewalls On Apr 17, 2014, at 7:35 PM, Dustin Jurman wrote: > - packets per second > - Firewall Level > - Hosts level This is getting into QoS territory . . . > - packet size information Concur - packet

  1   2   >