Thus spake "Melinda Shore" <mshore@xxxxxxxxx>
I have a lot more trust in the simplicity of a basic NAT in a
consumer firewall then I do in any firewall which has to
examine each packet for conformance to complex policy
rules.
"Drop all inbound traffic" is complex?
AFAIK, there's exactly one consumer CPE device on the market that does IPv6
and it has a configuration option cleverly labelled "Block incoming IPv6
connections" which is checked by default.
Perhaps he means Apple is overestimating users' intelligence by giving them
a checkbox at all? Leaving it at the default setting is rather complicated,
after all...
Or perhaps he meant that an IPv4 NAT which has to do stateful packet
inspection plus mangling both the packet headers and occasionally mangling
packet payloads is less complicated than a IPv6 firewall that just has to do
stateful inspection and either drop the packet or forward it without any
mangling at all?
S
Stephen Sprunk "Those people who think they know everything
CCIE #3723 are a great annoyance to those of us who do."
K5SSS --Isaac Asimov
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf