[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: raw thoughts on v6 firewalls



Now I understand that it is somewhat orthogonal. Using site local addresses the intranet can avoid seeing company emails on Google's search engine, but how to avoid having ftp sites to be not accessible from the Internet? Maybe this is also possible using site local addresses.

Would then be a good idea to ask MIDCOM WG to come up with new RFCs (-bis) replacing the present v4 only ones to standardize v6 firewalls?
Why this such an important issue did not come up during the long standardization period in which v6 was developed?

Regards,

Brian E Carpenter wrote:
Behcet Sarikaya wrote:
  
Hello Pekka,
  Site-local addresses would provide the same functionality and
therefore there is no need to introduce firewalls into v6.
  Is there anything wrong with the above argument?
    

Lots. It's very similar to the argument that NAT is a security
feature, which is absolutely untrue.

Firewalls block incoming connections with global destination addresses. 
The existence of site-local addresses is orthogonal to this. You still
need to allow some incoming connections to global addresses, and
block others.

(Firewalls do more than that, but this is sufficient to answer
your question.)
  
   Brian

  

-- 
Behcet