I'm sorry to reply so long after the fact, but...
On 23-nov-04, at 3:12, Hans Kruse wrote:
However, most SOHO sites look for a zero-order level of protection
against the random worm trying to connect to an open TCP port on the
average windows machine (especially one set up for file/print sharing
on the SOHO network), and NAT does that just fine.
IPv6 marketing has to take this into account, with a deliberate "here
is why the IPv6 gateway provides the same default protection as
NAT..." FAQ entry.
Actually in IPv6 you are well-protected against random scanning
withough the need for any device in the middle: a /64 subnet is so
large, that scanning it is completely infeasible.
Now of course someone who knows your address doesn't have to scan, so
this protection isn't complete. But for TCP it's entirely trivial to
only allow sessions to be set up in one direction. Full stateful
firewalling is of course also possible. However, both these options
bring back some of the downsides of NAT: in order to make incoming
sessions possible, there must be configuration of some sort.
A default filter that rejects packets for services that are generally
intended for local use only would probably be good enough for a
residential IPv6 router. Other services are either not enabled and/or
firewalled in the host anyway, or the user actually wants them to work.
(It would be incredible helpful to have all these local-use services in
a fixed range of port numbers for easy filtering...)
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf