[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

raw thoughts on v6 firewalls



Hi,

Regarding v6ops meeting discussion..

I don't think v6 firewalls can be killed.  They're a mechanism to ensure 
some form of security policy; trusting end nodes to do the right thing is 
not enough.

But there are problems with v6 firewalling.  I've been trying to get
around to writing a draft for a year or so now but never did it (further
than the baseline summary of the content): perhaps now it's a better time.

One potentially major deployment issue is how the firewall is supposed to
handle packets where extension header contains a header it does not not
recognize and thus cannot parse e.g. UDP/TCP headers.

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords