Dear Fernando, authors of this I-D, thanks for pushing this (IMO) worthwhile topic forward.
The more we see IPv6 availability, the more important is it that the router/gateway/firewalls, will provide an (at least) on-par-security for IPv6, compared to IPv4. With such a document, firewall makers can have a valuable checklist in their hands - and go at least for the "conditionally-compliant" feature set. My gut feeling is that such document should aim a little higher than just providing parity with IPv4 firewall features. IMO this is especially true for the DoS section (chapter 7), since more attack vectors exist with IPv6 (or so it feels to me). Two small ideas: * If deemed as useful, the document should clearly state the importance of (the NAT-less yet) stateful PF with IPv6, and maybe some details of it. * If suitable for this I-D, some words could be added on privacy issues with IPv6 and how an IPv6-FW could help (or not) with that. Best regards Carsten -----Original Message----- From: OPSEC [mailto:[email protected]] On Behalf Of Fernando Gont Sent: Wednesday, February 19, 2014 12:09 AM To: '[email protected]' Subject: [OPSEC] IPv6 firewalls reqs: Rationale Folks, As noted in my previous email, this is a request to discuss the first item listed in my previous email: 1) Agree on a rationale to write this spec. For example, one possible rationale is "aim at providing parity of features with IPv4". Another one could be that "should should aim a little higher". For example, in the light of draft-farrell-perpass-attack we may aim at requiring some privacy features that might not be that common in IPv4 firewalls. Thoughts? Yours, -- Fernando Gont e-mail: [email protected] || [email protected] PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
