[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: raw thoughts on v6 firewalls
- To: Pekka Savola <pekkas@netcore.fi>
- Subject: Re: raw thoughts on v6 firewalls
- From: Behcet Sarikaya <behcet.sarikaya@alcatel.com>
- Date: Thu, 19 Sep 2002 09:29:37 -0500
- Cc: v6ops@ops.ietf.org
- Delivery-date: Thu, 19 Sep 2002 07:29:06 -0700
- Envelope-to: v6ops-data@psg.com
- Organization: Alcatel USA
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
Hello Pekka,
Site-local addresses would provide the same functionality and
therefore there is no need to introduce firewalls into v6.
Is there anything wrong with the above argument?
Regards,
Pekka Savola wrote:
Hi,
Regarding v6ops meeting discussion..
I don't think v6 firewalls can be killed. They're a mechanism to ensure
some form of security policy; trusting end nodes to do the right thing is
not enough.
But there are problems with v6 firewalling. I've been trying to get
around to writing a draft for a year or so now but never did it (further
than the baseline summary of the content): perhaps now it's a better time.
One potentially major deployment issue is how the firewall is supposed to
handle packets where extension header contains a header it does not not
recognize and thus cannot parse e.g. UDP/TCP headers.
--
Behcet