On Wed, 2011-03-30 at 10:02 -0400, Edward Ned Harvey wrote: > As I recall from previous discussion here and on other lists... > One of the barriers to widespread deployment of IPv6 is fear
Yes, fear, much in relation to FURFI (fear and uncertainly resulting from ignorance). > about security. People have come to rely on their IPv4 NAT as a form > of inbound packet filter. Incorrectly, yes. Because they don't know the difference between NAT and a firewall. > a lot of IPv6 firewalls will need to be configured to block all > inbound IPv6 traffic and permit all outbound. Much in the way many IPv4 firewall works. There is nothing wrong with this. > Unfortunately, this defeats the main value-add of IPv6, which is > peer-to-peer. No it does not. It is my peer to you. I just don't let you your-peer-to-me; which is exactly what you'd experience with most IPv4 firewalls and pretty-much-always with the IPv4 NAT hack. > So logically, it seems natural, a lot of IPv6 firewalls will need to > support things like NAT-PMP, or IGD, so the internal devices can > automatically configure inbound ports to enable peer-to-peer, whilst > maintaining a reasonably secure perimeter firewall. This allows you > to block all unsolicited inbound traffic, but allow clients to > communicate with solicited peers for firewall traversal. (And at some > point, it seems natural that some authentication scheme will be > necessary, so only specific applications and/or specific machines will > be able to use that functionality, etc.) Sure, if you want to keep control of such things at a central firewall. Honestly, I don't meet very many IPv4 applications that support NAT-PMP. It is pretty much an Apple thing, so I wouldn't expect most IPv6 applications to bother with it. > Now the question I have is ... Neither NAT-PMP, nor IGD seem to > support IPv6. So what up? IPv6 has native tunneling and quasi-integrated IPSec. So that is two ways to work around firewalls. How IPv6 apps will choose to solve this remains up-in-the-air. And, hopefully, new apps will make more and more use of SCTP which can help with traversal issues. _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
