Re: The argument for writing a general purpose NAT for IPv6

[Gert Doering <gert@space.net>]

Hi,

On Wed, Apr 18, 2007 at 03:45:40PM -0700, james woodyatt wrote:
> On Apr 18, 2007, at 15:35, Gert Doering wrote:
> >I share the sentiment that "unmanaged networks and stateful  
> >firewalls" is a problematic scenario, but it seems that this is  
> >what we *have* (due to not-so-well informed decision processes).
> 
> I don't think I would agree with this characterization of how we have  
> arrived at the present situation.  As the authors of draft-ietf-nap  
> have noted, the situation is the result of the most informed  
> community of Internet experts in the world, the IETF, recognizing its  
> own technical consensus about the need for stateful firewalls in  
> residential gateways.

Well, just to clarify this.  I didn't mean to imply that *you* have been
"not so well-informed" - but the whole process went wrong.

Please do also note that a single IETF *draft* is not necessary "the IETF
consensus", but "a single working group in the IETF, and most likely
just a few individuals in that working group that found time to read the
draft and comment on it" - and it's very well possible that these 
individuals have overlooked some of the implications that this might
bring with it.

Personally, I am guilty of not having read the NAP draft in detail - the
general direction "we don't need NAT with IPv6" was something I agreed
to, but the consequence "if we require stateful firewalls on zero-conf
networks, we will have lots of interesting new problems" was something 
at least I didn't think of.

[..]
> If anything, I would have to accept my share of personal  
> responsibility for my involvement in allowing Apple to ship the first  
> release of firmware for the AirPort Extreme base station *without*  
> the stateful firewall protecting its unmanaged local network.  This  
> was clearly an uninformed decision, and Apple was roundly disparaged  
> in the technical press for it-- presumably by well-informed critics.   
> This mistake might have been avoided if I had seen draft-ietf-nap  
> sooner than I did.

I can't agree with this assessment.  I think that people who complain 
about "this device has no (automatic, zero-conf and default-on) firewall!!!" 
when there is no mechanism yet to distribute policy information between 
hosts behind the firewall and the firewall itself are doing IPv6 a 
disservice, and are not very well-informed.

(I hope that Apple AirPort Extreme base station has a configuration
knob to turn *off* the IPv6 firewall - otherwise I won't buy one. 
I have a firewall in my network, which is configured to let in those
packets I want to see there, and a zero-conf-everything-disallowed
firewall would break stuff)

Gert Doering
        -- NetMaster
-- 
Total number of prefixes smaller than registry allocations:  113403

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279