There was some discussion on arin-ppml regarding ULA-C which led to talking
about NAT and it's role.
One point that rose out of that discussion is that most consumers will
presume, because they have NAT today, some kind of stateful firewall in
their shiny new IPv6 router. Section 3.1 of the current draft discusses
current NAT behavior in IPv4 routers, but the draft in its current form
doesn't describe a CPE feature that provides similar functionality in an
IPv6 CPE router.
For that reason (with assistance from Michael Dillon), I would like to
suggest the following be placed in section 4.2, perhaps as W-4.
All IPv6 CPE should include a stateful firewall,
enabled by default, to give end user networks
some of the benefits that they gain from the
stateful firewall behavior that is part of most
IPv4 NAT implementations. The firewall should
support the configuration of a DMZ on a certain
IPv6 address or prefix. It should include
support inbound access control lists and may
include support for outbound access control lists.
Without this behavior these IPv6 routers will be just that, routers, and
unnecessarily expose broadband customer hosts to Internet-based probing and
attacks. A stateful firewall for IPv6 traffic would provide some beneficial
functional consistency between the two IP versions.
With the existence of several *nix-based open source firewall packages,
implementation would not be burdensome.
Perhaps some of you feel strongly enough about this you would change the
"should" to "must". I'm OK with that, but that might set the bar too high.
Kind regards,
Frank Bulk
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
