On 4/17/14 8:51 PM, "Matthew Kaufman" <matt...@matthew.at> wrote:
>While you're at it, the document can explain to admins who have been >burned, often more than once, by the pain of re-numbering internal >services at static addresses how IPv6 without NAT will magically solve >this problem. http://datatracker.ietf.org/doc/rfc6879/ This document analyzes events that cause renumbering and describes the current renumbering methods. These are described in three categories: those applicable during network design, those applicable during preparation for renumbering, and those applicable during the renumbering operation. Lee > >Matthew Kaufman > >(Sent from my iPhone) > >> On Apr 17, 2014, at 4:20 PM, Brandon Ross <br...@pobox.com> wrote: >> >> On Thu, 17 Apr 2014, Sander Steffann wrote: >> >>>> Also, I note your draft is entitled "Requirements for IPv6 Enterprise >>>> Firewalls." Frankly, no "enterprise" firewall will be taken seriously >>>> without address-overloaded NAT. I realize that's a controversial >>>> statement in the IPv6 world but until you get past it you're basically >>>> wasting your time on a document which won't be useful to industry. >>> >>> I disagree. While there certainly will be organisations that want such >>>a 'feature' it is certainly not a requirement for every (I hope most, >>>but I might be optimistic) enterprises. >> >> And I not only agree with Sander, but would also argue for a definitive >>statement in a document like this SPECIFICALLY to help educate the >>enterprise networking community on how to implement a secure border for >>IPv6 without the need for NAT. Having a document to point at that has >>been blessed by the IETF/community is key to helping recover the >>end-to-end principle. Such a document may or may not be totally in >>scope for a "firewall" document, but should talk about concepts like >>default-deny inbound traffic, stateful inspection and the use of address >>space that is not announced to the Internet and/or is completely blocked >>at borders for all traffic. >> >> Heck, we could even make it less specific to IPv6 and create a document >>that describes these concepts and show how NAT is not necessary nor wise >>for IPv4, either. (Yes, yes, other than address conservation.) >> >> -- >> Brandon Ross Yahoo & AIM: >>BrandonNRoss >> +1-404-635-6667 ICQ: >>2269442 >> Skype: >>brandonross >> Schedule a meeting: http://www.doodle.com/bross >> > >