ietf
[Top] [All Lists]

RE: NATs as firewalls

2007-03-05 01:53:03
No real disagreement here but I do see a way forward. 
First, clarify the
terminology. Second publish a pair of RFCs rather like 1009 entitled
"Requirements for Consumer Internet Gateways" and "Requirements for
Enterprise Internet Gateways". 

Are you aware of RFC 4084 "Terminology for Describing 
Internet Connectivity"?

I was not aware of it until now but I think that it targets a different
audience, namely ISPs who offer services and people who discuss ISP
services. I wonder how many ISPs are even aware of this RFC.

In any case, RFC 1009 is targetted at vendors and implementors of
gateways. I believe that we not only need to sort out the tangle of
terminology and concepts surrounding NAT, IPv4, firewalls, IPv6 and
security, but also provide some clear guidance to developers of gateway
hardware and software. The shift to IPv6 and winding down of IPv4
address allocations provides the opportunity to do this. As the news of
IPv4 wind-down spreads, people will be hungry for more information and
the story that IPv6 is better because it has more addresses just isn't
good enough.

IPv6 is also a technology refresh, i.e. it forces vendors to reimplement
their boxes. It forces people to buy new systems. If the only thing that
they get is a new protocol with wider addresses, then they will see this
as a generally negative experience and wonder why people with more money
couldn't just buy IPv4 addresses from those with less. Let them eat NAT!

But, if there are clear guidelines for IPv6 gateways that focus on
enabling functionality then people will see a value in upgrading. An
explicit firewall service is a value. No NAT thus enabling more
peer-to-peer applications is a value. There could be more to it as well.

For instance, if we accept the model that the majority of Internet hosts
will communicate with the core via stateful gateways, then there is the
possibility of a standard way for an application to communicate with its
local stateful gateway in order to change the state, rather than
implementing things like STUN (Simple Traversal of UDP through NAT).
That too, would be a value for the buyer of a standard Internet gateway.

--Michael Dillon


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>