On Jun 29, 2011 7:19 PM, "Fernando Gont" <fernando@xxxxxxxxxxx> wrote:
>
> Hi, Jari,
>
> My high level comment/question is: the proposed charter seems to stress
> that IPv6 is the driver behind this potential wg effort... however, I
> think that this deserves more discussion -- it's not clear to me why/how
> typical IPv6 home networks would be much different from their IPv4
> counterparts.
>
> Bellow you'll find some comments/questions about the proposed charter.
> They are not an argument against or in favour of the creation of the
> aforementioned wg, but rather comments and/or requests for clarification...
>
> On 06/29/2011 05:47 AM, Jari Arkko wrote:
> [....]
> > o Service providers are deploying IPv6, and support for IPv6 is
> > increasingly available in home gateway devices. While IPv6 resembles
> > IPv4 in many ways, it changes address allocation principles and allows
> > direct IP addressability and routing to devices in the home from the
> > Internet. This is a promising area in IPv6 that has proved challenging
> > in IPv4 with the proliferation of NAT.
>
> NAT devices involve two related but different issues:
> * address translation
> * an implicit "allow only return traffic" firewall-like functionality
>
> One would hope/expect that the former will be gone with IPv6. However, I
> don't think the latter will. As a result, even when you could "address"
> nodes that belong to the "home network", you probably won't be able to
> get your packets to them, unless those nodes initiated the communication
> instance.
>
> For instance (and of the top of my head), this functionality is even
> proposed in the "simple security" requirements that had been produced by
> v6ops.
>
>
> > o End-to-end communication is both an opportunity and a concern as it
> > enables new applications but also exposes nodes in the internal
> > networks to receipt of unwanted traffic from the Internet. Firewalls
> > that restrict incoming connections may be used to prevent exposure,
> > however, this reduces the efficacy of end-to-end connectivity that
> > IPv6 has the potential to restore.
>
> I personally consider this property of "end-to-end connectivity" as
> "gone". -- among other reasons, because it would require a change of
> mindset. I'm more of the idea that people will replicate the
> architecture of their IPv4 networks with IPv6, in which end-systems are
> not reachable from the public Internet.
>
The opportunity for restoring e2e is one of the great opportunities of ipv6 and it is my hope this new WG will drive that with facts and take on fud.
The utility of network based spi firewalls is debatable. Likely a never ending debate.
Cb
> Thanks!
> --
> Fernando Gont
> e-mail: fernando@xxxxxxxxxxx || fgont@xxxxxxx
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>
> _______________________________________________
> Ietf mailing list
> Ietf@xxxxxxxx
> https://www.ietf.org/mailman/listinfo/ietf
_______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf