[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: raw thoughts on v6 firewalls



The only issue I can see arise is when a site-local address would have to communicate with foreign entities not local to itself.  In such a implementation a "barrier" that logically and/or physically sepperates the two entities from one another would serve a purpose.  This "barrier" can be in many forms a proxy, a nat device, and what is commonly known as a firewall.  Being a security professional as well as a network professional blanket dismissal of security devices could prove to become a huge flaw if we take a stance of negating them so early on in the process.
 
Kim Sassaman
 

	-----Original Message----- 
	From: Behcet Sarikaya [mailto:behcet.sarikaya@alcatel.com] 
	Sent: Thu 9/19/2002 7:29 AM 
	To: Pekka Savola 
	Cc: v6ops@ops.ietf.org 
	Subject: Re: raw thoughts on v6 firewalls
	
	

	Hello Pekka, 
	  Site-local addresses would provide the same functionality and 
	therefore there is no need to introduce firewalls into v6. 
	  Is there anything wrong with the above argument? 

	Regards, 

	Pekka Savola wrote: 

	>Hi, 
	> 
	>Regarding v6ops meeting discussion.. 
	> 
	>I don't think v6 firewalls can be killed.  They're a mechanism to ensure 
	>some form of security policy; trusting end nodes to do the right thing is 
	>not enough. 
	> 
	>But there are problems with v6 firewalling.  I've been trying to get 
	>around to writing a draft for a year or so now but never did it (further 
	>than the baseline summary of the content): perhaps now it's a better time. 
	> 
	>One potentially major deployment issue is how the firewall is supposed to 
	>handle packets where extension header contains a header it does not not 
	>recognize and thus cannot parse e.g. UDP/TCP headers. 
	> 
	>  
	> 

	-- 
	Behcet 




<<winmail.dat>>