From: George Herbert <george.herbert@gmail.com> Date: Friday, April 18, 2014 7:11 PM To: Lee Howard <Lee@asgard.org> Cc: Eugeniu Patrascu <eugen@imacandi.net>, "draft-gont-opsec-ipv6-firewall-reqs@tools.ietf.org" <draft-gont-opsec-ipv6-firewall-reqs@tools.ietf.org>, "nanog@nanog.org" <nanog@nanog.org> Subject: Re: Requirements for IPv6 Firewalls
Lee Howard:
So, yeah, you have to give your firewall administrator time to walk through the rules and figure out what they ought to be in IPv6. Your firewall administrator has been wanting to clean up the rules for the last two years, anyway.
The arrogance in this assertion is amazing.
What arrogance? I think I assert that IPv6 is time-consuming. There is no "deploy IPv6" button. fwiw, I do have enterprise network experience.
You're describing best practice. Yes, of course, you should have well documented technical and business needs for what's open and what's closed in firewalls, and should have traceability from the rules in place to the requirements, and be able to walk the rules and understand them and reinterpret them from v4 to v6, to a new firewall vendor, etc etc.
Yes. Any publicly-traded company will have this because their auditors require it. I would think that companies without this documentation are probably not ready to deploy a new protocol. I concede that tracing the rules to the requirements is a hard one in practice (and a PITA in operational practice), but I don't think it's required to be able to map IPv4 rules to IPv6 rules.
Again - THE INERTIA IN REAL ENTERPRISE ENVIRONMENTS SAYS OTHERWISE.
To clarify: are you asserting that IPv6 uptake in enterprises is slow, which is a sign of inertia, and the reason is that firewalls are poorly documented and therefore we must have IPv6 NAT? Maybe "lack of (perceived) business need" is the reason more enterprises don't have IPv6.
Again - policy community blinders on understanding what real systems are like out in the world has repeatedly shot the conversion in the legs. If you're going to start floating standards for this kind of stuff, then listen to feedback on why things are failing.
I don't agree that things are failing. I would absolutely like to see enterprises adopt IPv6. Maybe at this stage enterprises with no firewall documentation are not good candidates for dual-stack. Those do seem to me to be the kind of clients who are likely to blame IPv6 for any problem, and insist it be turned off before any other troubleshooting. Lee