> > I'd be more sympathetic to arguments like this if we RFC > 4864 didn't > > insist on recommending the deployment of stateful packet filters in > > IPv6 that break most of the things NAT breaks in IPv4.
> It seems to me that you're > making the assumption that the only scenario IPv6 will be > deployed in is one where end-nodes always have an upstream > stateful firewalling device. Even if the stateful firewalling algorithm is being executed by an upstream device, the fact that the IPv6 destination address is globally known means that the device knows exactly which internal device is the intended destination of the packet. This makes it easier for additional software on the upstream device to do something intelligent that will not break connectivity in the way that IPv4 NAT/PAT does. For instance, there could be an application on the end host that receives notifications from the upstream device so that the user can accept the packet flow. Or there could be a bit of software on the upstream device that recognizes this particular packet as belonging to a known protocol which should be allowed through. Some of this already exists in IPv4 such as application layer gateways, but some is yet to be developed. IPv6 brings a fundamental difference, that the end hosts can use globally unique addresses and that the upstream gateways do not need to do any address translation in order to apply stateful firewalling. Once this becomes more widely understood, then some creative solutions like the host notification mentioned above, could be implemented. Also, firewalling is a process. It has already been pointed out that the process could take place on the end hosts. It can also be distributed between the end host and an upstream gateway. Or even partly distributed to a 3rd party host inside the perimeter by diverting the packet flow such as is often done with proxy caching. Because of the broad possibilities it is hard to make absolute statements about what effect firewalls will have on any particular protocol. --Michael Dillon -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
