Re: raw thoughts on v6 firewalls

[Brian E Carpenter <brian@hursley.ibm.com>]

Behcet Sarikaya wrote:
> 
> Now I understand that it is somewhat orthogonal. Using site local addresses the intranet can avoid seeing company emails on
> Google's search engine, but how to avoid having ftp sites to be not accessible from the Internet? Maybe this is also possible
> using site local addresses.
> 
> Would then be a good idea to ask MIDCOM WG to come up with new RFCs (-bis) replacing the present v4 only ones to standardize
> v6 firewalls?

There are no standards for firewalls. MIDCOM is working on firewall (and IPv4-NAT)
traversal techniques only.


> Why this such an important issue did not come up during the long standardization period in which v6 was developed?

Because IPv6 is aimed at restoring transparency and enabling
end to end security. Certainly, the MIDCOM mechanisms must be
equally valid for v4 and v6.

   Brian


> 
> Regards,
> 
> Brian E Carpenter wrote:
> 
> > Behcet Sarikaya wrote:
> >
> >
> >> Hello Pekka,
> >>   Site-local addresses would provide the same functionality and
> >> therefore there is no need to introduce firewalls into v6.
> >>   Is there anything wrong with the above argument?
> >>
> >>
> > Lots. It's very similar to the argument that NAT is a security
> > feature, which is absolutely untrue.
> >
> > Firewalls block incoming connections with global destination addresses.
> > The existence of site-local addresses is orthogonal to this. You still
> > need to allow some incoming connections to global addresses, and
> > block others.
> >
> > (Firewalls do more than that, but this is sufficient to answer
> > your question.)
> >
> >    Brian
> >
> >
> >
> 
> --
> Behcet

-- 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Brian E Carpenter 
Distinguished Engineer, Internet Standards & Technology, IBM 
On assignment at the IBM Zurich Laboratory, Switzerland