[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: raw thoughts on v6 firewalls

To: Brian E Carpenter <brian@hursley.ibm.com>
Subject: Re: raw thoughts on v6 firewalls
From: Behcet Sarikaya <behcet.sarikaya@alcatel.com>
Date: Thu, 19 Sep 2002 10:46:45 -0500
Cc: Pekka Savola <pekkas@netcore.fi>, v6ops@ops.ietf.org
Delivery-date: Thu, 19 Sep 2002 08:47:13 -0700
Envelope-to: v6ops-data@psg.com
Organization: Alcatel USA
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0

Now I understand that it is somewhat orthogonal. Using site local addresses the intranet can avoid seeing company emails on Google's search engine, but how to avoid having ftp sites to be not accessible from the Internet? Maybe this is also possible using site local addresses.

Would then be a good idea to ask MIDCOM WG to come up with new RFCs (-bis) replacing the present v4 only ones to standardize v6 firewalls?
Why this such an important issue did not come up during the long standardization period in which v6 was developed?

Regards,

Brian E Carpenter wrote:

Behcet Sarikaya wrote:

Hello Pekka,
  Site-local addresses would provide the same functionality and
therefore there is no need to introduce firewalls into v6.
  Is there anything wrong with the above argument?


Lots. It's very similar to the argument that NAT is a security
feature, which is absolutely untrue.

Firewalls block incoming connections with global destination addresses. 
The existence of site-local addresses is orthogonal to this. You still
need to allow some incoming connections to global addresses, and
block others.

(Firewalls do more than that, but this is sufficient to answer
your question.)
  
   Brian

-- 
Behcet

Prev by Date: Re: draft-ietf-ngtrans-ipv4survey-02.txt
Next by Date: Re: unmanaged scope comments
Previous by thread: Re: raw thoughts on v6 firewalls
Next by thread: RE: raw thoughts on v6 firewalls
Index(es):
- Date
- Thread