On Jul 1, 2014, at 3:45 AM, Fernando Gont
<fernando(_at_)gont(_dot_)com(_dot_)ar> wrote:
IPv6 with a diode-firewall on the perimiter would essentially face the
same challenge/problem. I seem to recall folks noting that that's hw
they deploy v6 to the home...
Well, sort of. A zone-based firewall (NAT or otherwise) primarily allows in
responses to traffic it has sent out, and https://tools.ietf.org/html/rfc6092
is an example of that. However, just as NATs do, such firewalls usually allow
for a firewall rule that will allow specified traffic to go to a specified
address. That’s the purpose of PCP, for example.
That is a place I have well and truly scratched my head regarding the firewall
discussion in the IETF. There’s a set of people, including me, that think that
firewalls have a certain levee of utility and in any event are a business
requirement. There’s another set of people who “don’t want no stinkin’
firewalls”, and argue their case on the basis of the end to end principle. No
aspersions here; I understand their point, and my daughter’s surveillance
service would be a case in point of the kind of service they want to enable.
Where my head tips is this. I see three kinds of traffic across that divide.
One is sessions originated from the network - I sent something to Netflix,
Facebook, or whoever, and it replied. The vast majority of residential traffic,
I would guess, falls in that category, and apart from electric mail and traffic
to business services to customers, I would guess that the vast majority of
legitimate enterprise traffic does as well. A second is sessions originated
from outside the network to services that the network intends to offer - web
access to www.example.com, incoming SMTP, my daughter’s surveillance service
(which is a web access), and so on. The third is “everything else” - traffic
that wasn’t invited and has no application, and perhaps no host, to respond to
it.
The first works in almost any case - a firewall that prevents you from running
an application you want to run isn’t going to last very long. The second is
trivially allowed for by a firewall rule or PCP/UPnP exchange, and if there is
an application (set-top box or whatever) in the home that wants to allow for
such a service, it can fire off the request. The third - what is the argument
for letting that into my home or enterprise network?
And I tend to think that the conversation breaks down at that point. Everyone
agrees on the first and second. When someone says “I want to block the third”,
the response is “but I want to allow the second” without acknowledging or
commenting on the third. And I just find myself shaking my head in disbelief.
Wouldn’t it be nice of both speakers in the conversation would address the same
subject?
signature.asc
Description: Message signed with OpenPGP using GPGMail