[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: raw thoughts on v6 firewalls

To: Pekka Savola <pekkas@netcore.fi>
Subject: Re: raw thoughts on v6 firewalls
From: Jun-ichiro itojun Hagino <itojun@iijlab.net>
Date: Thu, 19 Sep 2002 09:47:49 +0900
Cc: v6ops@ops.ietf.org
Delivery-date: Wed, 18 Sep 2002 17:49:52 -0700
Envelope-to: v6ops-data@psg.com

>I don't think v6 firewalls can be killed.  They're a mechanism to ensure 
>some form of security policy; trusting end nodes to do the right thing is 
>not enough.
>
>But there are problems with v6 firewalling.  I've been trying to get
>around to writing a draft for a year or so now but never did it (further
>than the baseline summary of the content): perhaps now it's a better time.

	i understand we can't kill firewall.  they need to be more flexible -
	like allowing inbound connection for p2p protocols and such.  but then,
	we may be opening a big can of worms...

>One potentially major deployment issue is how the firewall is supposed to
>handle packets where extension header contains a header it does not not
>recognize and thus cannot parse e.g. UDP/TCP headers.

	i'm trying to implement IPv6 stateful inspection into OpenBSD PF,
	but having no time to do so...

itojun

Prev by Date: Re: comment on unmanaged analysis presentation/doc
Next by Date: Re: draft-ietf-ngtrans-ipv4survey-02.txt
Previous by thread: raw thoughts on v6 firewalls
Next by thread: RE: raw thoughts on v6 firewalls
Index(es):
- Date
- Thread