On Thu, Apr 17, 2014 at 6:30 AM, Fernando Gont <fernando@gont.com.ar> wrote:
A few months ago we published an IETF I-D with requirements for IPv6 firewalls.
Based on the feedback received since then, we've published a revision of the I-D: <http://www.ietf.org/internet-drafts/draft-gont-opsec-ipv6-firewall-reqs-01.txt>
Hi Fernando, The feedback I would offer is this: You missed. By a lot. For one thing, many of the requirements are vague, like REQ APP-20. I've mitigated spam by allowing the operator to configure static packet filters for the bad guy's netblock, right? Requirements "must" be precise. Where you can't make it precise, drop it to a "should." And why is spam mitigation a firewall requirement in the first place? Traditionally that's handled by a specialty appliance, largely because it's such a moving target. Also, I note your draft is entitled "Requirements for IPv6 Enterprise Firewalls." Frankly, no "enterprise" firewall will be taken seriously without address-overloaded NAT. I realize that's a controversial statement in the IPv6 world but until you get past it you're basically wasting your time on a document which won't be useful to industry. Take it back to the drawing board. You're not there yet. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004