[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: raw thoughts on v6 firewalls

To: "Behcet Sarikaya" <behcet.sarikaya@alcatel.com>,"Brian E Carpenter" <brian@hursley.ibm.com>
Subject: RE: raw thoughts on v6 firewalls
From: "Michel Py" <michel@arneill-py.sacramento.ca.us>
Date: Thu, 19 Sep 2002 09:50:36 -0700
Cc: "Pekka Savola" <pekkas@netcore.fi>,<v6ops@ops.ietf.org>
Delivery-date: Thu, 19 Sep 2002 09:50:48 -0700
Envelope-to: v6ops-data@psg.com
Thread-index: AcJf9CwtFYCGYILkScqusIuNQvtudQABsUUw
Thread-topic: raw thoughts on v6 firewalls

> Behcet Sarikaya wrote:
> Site-local addresses would provide the same functionality
> and therefore there is no need to introduce firewalls into
> v6. Is there anything wrong with the above argument?

Something very wrong, IMHO: you would have to introduce IPv6 NAT if
these hosts have to talk to the outside world.

> Now I understand that it is somewhat orthogonal. Using
> site local addresses the intranet can avoid seeing company
> emails on Google's search engine, but how to avoid having
> ftp sites to be not accessible from the Internet? Maybe
> this is also possible using site local addresses.

Site-local addresses make sense for hosts that *never* have to access
the Internet, neither egress nor ingress. If a host with a site-local
address needs to communicate with the outside, I think that everyone
agrees that it is much preferable to give it a public address as well as
the site-local one rather than using the site-local only and IPv6 NAT.

Michel.

Prev by Date: Re: draft-ietf-ngtrans-ipv4survey-02.txt
Next by Date: Re: comment on unmanaged analysis presentation/doc
Previous by thread: Re: raw thoughts on v6 firewalls
Next by thread: RE: raw thoughts on v6 firewalls
Index(es):
- Date
- Thread