> I think you are quoting from the "Transparent End-to-End Communications" > section on pages 14/15 which is to do with communications _within_ the home > network.
Yes... I understand the rational behind not wanting a NAT within the home, but the text reads in a much larger way. And the anti-NAT bits aren't just limited to that one section, but rather scattered throughout. So I would say -- 1. Take out the bits about "we don't want NAT." 2. Replace them with a single section detailing exactly what you want in terms of "transparent end-to-end communications" specifically within the home. > Is this really true? When I want to secure a physical space, I block off > all access, then put in carefully thought out access control points. I > don't pile all my goods in the middle of the street, and then actively > monitor every person who walks by, hiring more people to do the > monitoring as needed. > ... > > Generally speaking, I want open access within my home network, > but may add specific rules to stop e.g. guest wi-fi getting to certain > servers. You want guests to be able to get to all servers by default, unless you specifically go into a configuration on some device? What's really needed is the ability to divide things into "domains," probably requiring some form of local directory server, and then controlling who is in what domain. Anything within a domain can access anything else within the same domain by default, and cannot access anything in the other domain by default, including network connections. > See " Security, Borders, and the elimination of NAT" section on page 5. > --- > [RFC6092] provides recommendations for an IPv6 firewall that > applies "limitations on end-to-end transparency where security > considerations are deemed important to promote local and Internet > security." The firewall operation is "simple" in that there is an > assumption that traffic which is to be blocked by default is > defined in the RFC and not expected to be updated by the user or > otherwise. The RFC also discusses an option for CPEs to have an > option to be put into a "transparent mode" of operation. > > It is important to distinguish between addressability and > reachability; i.e. IPv6 through use of globally unique addressing > in the home makes all devices potentially reachable from anywhere. > Whether they are or not should depend on firewall or filtering > behaviour, and not the presence or use of NAT. ... > --- > > Does this address you concerns? No, not really, because it assumes just what I don't want to assume --that end-to-end reachability is the default, and I must take specific actions in order to block specific pieces of reachability. If you want, I'll try and suggest wording later today or tomorrow. :-) Russ _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
