Hi, William! Thanks so much for your feedback! One meta comment: this document is an Internet-Draft, not an RFC. It's just the second version (-01) we have published... so it's not meant to be there. The reason for posting the I-D here was so that I could get your input as early in the production of this document as possible. Comments in-line.... On 04/17/2014 12:51 PM, William Herrin wrote:
The feedback I would offer is this: You missed. By a lot.
For one thing, many of the requirements are vague, like REQ APP-20. I've mitigated spam by allowing the operator to configure static packet filters for the bad guy's netblock, right? Requirements "must" be precise. Where you can't make it precise, drop it to a "should."
Ok, will expand REQ APP-20...
And why is spam mitigation a firewall requirement in the first place? Traditionally that's handled by a specialty appliance, largely because it's such a moving target.
Also, I note your draft is entitled "Requirements for IPv6 Enterprise Firewalls." Frankly, no "enterprise" firewall will be taken seriously without address-overloaded NAT.
Just double-checking: you're referring to NAT where the same address is mployed for multiple hosts in the local network, and where the transport-protocol port needs to be re-written by the NAT device? (i.e., a NAT-PT)
I realize that's a controversial statement in the IPv6 world but until you get past it you're basically wasting your time on a document which won't be useful to industry.
That's certainly controversial in the IPv6 world, but I have no problem with that. This sort of input (even much better if more people weigh) in is exactly what we're looking for. Such that when we apply the corresponding changes, and folks from other circles complain about them, I can point them to this sort of discussion. Thanks! Best regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1