[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: raw thoughts on v6 firewalls



Hello Pekka,
Site-local addresses would provide the same functionality and therefore there is no need to introduce firewalls into v6.
Is there anything wrong with the above argument?

Regards,

Pekka Savola wrote:

Hi,

Regarding v6ops meeting discussion..

I don't think v6 firewalls can be killed. They're a mechanism to ensure some form of security policy; trusting end nodes to do the right thing is not enough.

But there are problems with v6 firewalling. I've been trying to get
around to writing a draft for a year or so now but never did it (further
than the baseline summary of the content): perhaps now it's a better time.

One potentially major deployment issue is how the firewall is supposed to
handle packets where extension header contains a header it does not not
recognize and thus cannot parse e.g. UDP/TCP headers.


--
Behcet