[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CPE equipments and stateful filters
- To: Jun-ichiro itojun Hagino <itojun@itojun.org>
- Subject: Re: CPE equipments and stateful filters
- From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- Date: Tue, 24 Jul 2007 01:48:02 +0200
- Cc: v6ops@ops.ietf.org
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=fukSl/WT/Nsz+QTzWZx59D3s9AxKJXX4fqgZT0YpfZPNCnJTwQsochKjD6gDvmbnKzU7GoeWn3/bfsnNUz9AyGaYYvqsyvd3/mHHdMj5FZuJ3SRA4lTuCg+dogYAJu0hMdnBSfrH8HFDy/IA7RCPPQCkjIbhVrDs0fNk4JYRO4U=
- In-reply-to: <20070723193610.70736233CB@coconut.itojun.org>
- References: <20070723193610.70736233CB@coconut.itojun.org>
- User-agent: Thunderbird 1.5.0.12 (Windows/20070509)
On 2007-07-23 21:36, Jun-ichiro itojun Hagino wrote:
on CPE equipments and stateful filters.
first of all, here's my take on NAT and access controls at the border.
(i've posted this URL to ietf@ietf couple of days ago)
http://ipv6samurais.com/ipv6samurais/demystify/
NAT or stateful filters w/ ALG are not future proven (cannot accomodate
new protocols and people needs to upgrade forever).
because of this reason NAT-PT document is deprecated in v6ops.
now we are seeing the opposite action. weird.
i do not disagree with "we need stateful filter implementations".
but i suggest that we need to be REAL careful about the default
settings.
I agree. But the market reality (and we heard it explicitly from a
well known CPE vendor at the microphone) is that they will not sell
$50 consumer gateways that allow incoming unsolicited SYN or UDP
by default. We need to make realistic recommendations in that context.
Brian