[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CPE equipments and stateful filters



> Lets make one thing real clear. It is abundantly clear to the vendors
> in the room that there is a market for IPv6 CPEs with firewalls.

The market is based on supposed customer demand. Customer demand
evolves. You cite an obvious benefit, "hide my home network from my
ISP". But there is an equivalent cost, "prevent Skype from working
well". Or Bit Torrent, or whatever peer to peer application happens to
be popular. 

The choice is really between host firewalls and CPE firewalls. Both
achieve the "isolation" goal. The big difference is that host firewalls
can be controlled by a local API, while controlling a CPE is much
harder. If the host has adequate protection, then the intermediate
firewall in the CPE increases the overall cost without adding any
significant value.

> Technology religion to the contrary isn't going to stop that. So
> shouting at the top of your lungs that "we don't like firewalls" is
> in essence pissing into the wind. Save your breath. The products are
> going to be built and deployed. 

You are making the pessimist argument: since the worse is unavoidable,
it would be best to stop whining and just deal with it. Application
developers are actually used to that approach -- develop for the network
you have, and route around the damage inflicted by half-brained boxes.
Most likely, they will develop "automatic firewall traversal"
strategies. In a peer to peer network, for example, they will probably
invent a "pre-SYN" message that is relayed through a third party, so
that the two peers send their SYN packets simultaneously and effectively
defeat stateful packet inspection. Or, maybe, they will achieve the same
result using IPSEC. Or they will use a transport over UDP. Welcome to
the arms race.

-- Christian Huitema