Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Joe Greco wrote:
Everyone knows a NAT gateway isn't really a firewall, except more or less accidentally. There's no good way to provide a hardware firewall in an average residential environment that is not a disaster waiting to happen.
Gotta love it. A proven technology, successfully implemented on millions of residential firewalls "isn't really a firewall, but rather "a disaster waiting to happen". Make you wonder what disaster and when exactly it's going to happen? Simon Perreault wrote:
We have thus come to the conclusion that there shouldn't be a NAT-like firewall in IPv6 home routers.
And that, in a nutshell, is why IPv6 is not going to become widely feasible any time soon. Whether or not there should be NAT in IPv6 is a purely rhetorical argument. The markets have spoken, and they demand NAT. Is there a natophobe in the house who thinks there shouldn't be stateful inspection in IPv6? If not then could you explain what overhead NAT requires that stateful inspection hasn't already taken care of? Far from the issue some try to make it out to be, NAT is really just a component of stateful inspection. If you're going to implement statefulness there is no technical downside to implementing NAT as well. No downside, plenty of upsides, no brainer... Roger Marquis
On Fri, 11 Dec 2009, Roger Marquis wrote:
Joe Greco wrote:
Everyone knows a NAT gateway isn't really a firewall, except more or less accidentally. There's no good way to provide a hardware firewall in an average residential environment that is not a disaster waiting to happen.
Gotta love it. A proven technology, successfully implemented on millions of residential firewalls "isn't really a firewall, but rather "a disaster waiting to happen". Make you wonder what disaster and when exactly it's going to happen?
Simon Perreault wrote:
We have thus come to the conclusion that there shouldn't be a NAT-like firewall in IPv6 home routers.
And that, in a nutshell, is why IPv6 is not going to become widely feasible any time soon.
Whether or not there should be NAT in IPv6 is a purely rhetorical argument. The markets have spoken, and they demand NAT.
Is there a natophobe in the house who thinks there shouldn't be stateful inspection in IPv6? If not then could you explain what overhead NAT requires that stateful inspection hasn't already taken care of?
Far from the issue some try to make it out to be, NAT is really just a component of stateful inspection. If you're going to implement statefulness there is no technical downside to implementing NAT as well. No downside, plenty of upsides, no brainer...
Nobodoy thinks that statefull firewall is not necessary for IPv6. If you want to particiapte the discussion then comment the IETF v6ops document: http://www.ietf.org/id/draft-ietf-v6ops-cpe-simple-security-08.txt Best Regards, Janos Mohacsi
On 12/12/2009, at 4:15 PM, Roger Marquis wrote:
Is there a natophobe in the house who thinks there shouldn't be stateful inspection in IPv6? If not then could you explain what overhead NAT requires that stateful inspection hasn't already taken care of?
I handwave past all that by pointing out (as you have) that stateful inspection is just a subset of NAT, where the inside address and the outside address happen to be the same. (in the same way that the SHIM6 middleware boxes which were proposed but never built were /also/ just subsets of NAT, with the translation rules controlled by the SHIM6 protocol layers on the hosts... but we weren't allowed to call them NAT gateways, because IPv6 isn't supposed to have any NAT in it :) - mark -- Mark Newton Email: newton@internode.com.au (W) Network Engineer Email: newton@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 "Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223
On Fri, 2009-12-11 at 21:45 -0800, Roger Marquis wrote:
If you're going to implement statefulness there is no technical downside to implementing NAT as well. No downside, plenty of upsides, no brainer...
Of course there are downsides to implementing NAT - adding any feature to a device increases its complexity and affects its expense, time to market, MTBF etc. And there is certainly a downside to *deploying* NAT: NAT removes end-to-end transparency. Gotta keep those SOHO users in their cages, don't want them becoming independent producers of digital value, no sir! Seriously - by all means keep NAT as a technology for those who want to deploy it; we can't uninvent it anyway. It just shouldn't be imposed on others. I would argue that an ISP requiring of a customer that they use a NATted solution with IPv6 *is* imposing it on others. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/~kauer/ +61-428-957160 (mob) GPG fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF
participants (4)
-
Karl Auer -
Mark Newton -
Mohacsi Janos -
Roger Marquis