[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

raw thoughts on v6 firewalls

To: v6ops@ops.ietf.org
Subject: raw thoughts on v6 firewalls
From: Pekka Savola <pekkas@netcore.fi>
Date: Thu, 19 Sep 2002 00:52:09 +0300 (EEST)
Delivery-date: Wed, 18 Sep 2002 14:52:29 -0700
Envelope-to: v6ops-data@psg.com

Hi,

Regarding v6ops meeting discussion..

I don't think v6 firewalls can be killed.  They're a mechanism to ensure 
some form of security policy; trusting end nodes to do the right thing is 
not enough.

But there are problems with v6 firewalling.  I've been trying to get
around to writing a draft for a year or so now but never did it (further
than the baseline summary of the content): perhaps now it's a better time.

One potentially major deployment issue is how the firewall is supposed to
handle packets where extension header contains a header it does not not
recognize and thus cannot parse e.g. UDP/TCP headers.

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords

Prev by Date: Securing OSPFv3
Next by Date: Re: renumbering
Previous by thread: Securing OSPFv3
Next by thread: Re: raw thoughts on v6 firewalls
Index(es):
- Date
- Thread