[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6-PMP?

To: Fred Baker <fred@cisco.com>
Subject: Re: IPv6-PMP?
From: Rémi Denis-Courmont <rdenis@simphalempin.com>
Date: Wed, 11 Apr 2007 21:11:01 +0300
Cc: james woodyatt <jhw@apple.com>, v6ops@ops.ietf.org
In-reply-to: <10443AA7-05BA-473C-89B8-70E07C21D804@cisco.com>
Organization: Remlab.net
References: <E1H56s6-0007us-HB@stiedprstage1.ietf.org> <200704101245.41101@auguste.remlab.net> <10443AA7-05BA-473C-89B8-70E07C21D804@cisco.com>
User-agent: KMail/1.9.5

	Hello,

Le mercredi 11 avril 2007 00:37, Fred Baker a écrit :
> of course there will be stateful firewalls.
>
> I compare this to the health management system of the human body.
> Apart from blood loss and things like that, the mechanisms that keep
> the body healthy would mostly do so without the skin. But the skin
> makes it ever so much more effective.

I don't ask my parents or the local police officer to protect me from 
microbes and bacterias... I use my own skin, and similarly my PC has 
its own firewall that knows much better what it should pass and what it 
should keep out than my CPE. And even if the CPE knew (we just agreed 
this is currently impossible in the listening TCP port case...), I 
would not expect it to keep up with software upgrades on every single 
IPv6-capable software I might ever install on any of my IPv6-capable 
devices.

> Firewalls that permit the end to end principle to remain in force are
> a good thing for networks.

Sure, but I don't know any such firewall. And the typical stateful 
firewall allowing everything out and nothing unsolicited in DEFINITELY 
DOES NOT respect the end-to-end principle. Try to establish a COMEDIA 
SIP session with such a thing <-- this is a very basic benchmark for 
IPv6 to have any practical advantage over IPv4+NAT.

> Where the so-called "personal firewall" on a desktop/laptop protects
> the system, the firewall protects the investment in the network

The "investment" in the typical household network is a WiFi+Ethernet 
switch and a few Cat-5 cables. The switch can drop anything packet sent 
to its address from the outside. Cables don't need protection. Every 
thing else has its personal firewall.

> Doesn't SOCKS/GSSAPI open pinholes in firewalls?

AFAIK, SOCKS creates *outbound* connections when there is no routing at 
all.

> And the stateful firewalls I am most familiar with actually open
> pinholes automagically. They observe SYN-etc messages going out and
> open pinholes for the responses.

With all due respect, that's nonsense. The passive side of a TCP 
connection does not send anything until it received a packet from the 
foreign peer. Stateful firewalls block exactly that.

With stateful firewalls everywhere, we are back to a full 
client-server-only Internet. That happens to work very well with IPv4 
already. What would anyone switch then?

> A SIP proxy can similarly open a pinhole for a SIP data call.

So I have to upgrade my (supposedly dirty cheap) CPE every time I want 
to use a new protocol. That's not at all end-to-end principle as far as 
I understand it.

Regards,

-- 
Rémi Denis-Courmont
http://www.remlab.net/

Attachment: pgpr4BfzaEWUf.pgp
Description: PGP signature

References:
- I-D ACTION:draft-ietf-v6ops-nap-06.txt
  - From: Internet-Drafts@ietf.org
- Re: IPv6-PMP?
  - From: Rémi Denis-Courmont <rdenis@simphalempin.com>
- Re: IPv6-PMP?
  - From: Fred Baker <fred@cisco.com>

Prev by Date: Re: IPv6-PMP?
Next by Date: Re: IPv6-PMP?
Previous by thread: Re: IPv6-PMP?
Next by thread: Re: [16NG] Re: multicast and IPv6 over ETHCS
Index(es):
- Date
- Thread