Le 29 oct. 2010 à 20:20, james woodyatt a écrit : > On Oct 29, 2010, at 09:46, Rémi Després wrote: > >> 3. Sec 13 has "it is RECOMMENDED that NAT66 devices include an IPv6 firewall >> function, and the firewall function SHOULD be configured by default to block >> all incoming connections." >> Wouldn't a reference to draft-ietf-v6ops-cpe-simple-security be appropriate? > > I-D.ietf-v6ops-cpe-simple-security is about residential gateways, with > special emphasis on unmanaged configuration. I thought we didn't believe > that was an appropriate scenario for NAT66 usage?
I strongly agree with you that simple CPEs (unmanaged ones) shouldn't have NAT66! As you know, I even instantly suggest that they should by default be transparent (i.e. not filtering incoming connections). The point made is just that, should stateless NAT66 CPEs exist at all and be combined wit a FW's, their level of security should at least that which has been carefully documented in your draft. Besides this, as you may have noticed, I still have serious personal doubts that stateless NAT66's are sufficiently useful to be deployed. But this is a different point. Regards, RD _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
