[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
raw thoughts on v6 firewalls
- To: v6ops@ops.ietf.org
- Subject: raw thoughts on v6 firewalls
- From: Pekka Savola <pekkas@netcore.fi>
- Date: Thu, 19 Sep 2002 00:52:09 +0300 (EEST)
- Delivery-date: Wed, 18 Sep 2002 14:52:29 -0700
- Envelope-to: v6ops-data@psg.com
Hi,
Regarding v6ops meeting discussion..
I don't think v6 firewalls can be killed. They're a mechanism to ensure
some form of security policy; trusting end nodes to do the right thing is
not enough.
But there are problems with v6 firewalling. I've been trying to get
around to writing a draft for a year or so now but never did it (further
than the baseline summary of the content): perhaps now it's a better time.
One potentially major deployment issue is how the firewall is supposed to
handle packets where extension header contains a header it does not not
recognize and thus cannot parse e.g. UDP/TCP headers.
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords