[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: raw thoughts on v6 firewalls

To: Behcet Sarikaya <behcet.sarikaya@alcatel.com>
Subject: Re: raw thoughts on v6 firewalls
From: Brian E Carpenter <brian@hursley.ibm.com>
Date: Thu, 19 Sep 2002 17:21:07 +0200
Cc: Pekka Savola <pekkas@netcore.fi>, v6ops@ops.ietf.org
Delivery-date: Thu, 19 Sep 2002 08:22:40 -0700
Envelope-to: v6ops-data@psg.com
Organization: IBM

Behcet Sarikaya wrote:
> 
> Hello Pekka,
>   Site-local addresses would provide the same functionality and
> therefore there is no need to introduce firewalls into v6.
>   Is there anything wrong with the above argument?

Lots. It's very similar to the argument that NAT is a security
feature, which is absolutely untrue.

Firewalls block incoming connections with global destination addresses. 
The existence of site-local addresses is orthogonal to this. You still
need to allow some incoming connections to global addresses, and
block others.

(Firewalls do more than that, but this is sufficient to answer
your question.)

   Brian

Prev by Date: RE: raw thoughts on v6 firewalls
Next by Date: unmanaged scope comments
Previous by thread: RE: raw thoughts on v6 firewalls
Next by thread: Re: raw thoughts on v6 firewalls
Index(es):
- Date
- Thread