Re: IESG position on NAT traversal and IPv4/IPv6

[Phillip Hallam-Baker <hallam@gmail.com>]

On Mon, Nov 15, 2010 at 11:41 AM, Hadriel Kaplan <HKaplan@acmepacket.com>wrote:

> Absolutely.  And it should work in environments with IPv6 NATs, and in
> environments with IPv6 firewalls, and in environments with IPv6 consumer
> gateways which block inbound packets until an outbound packet opens a
> pinhole.  All of those fundamentally require the same sort of NAT traversal
> as for IPv4.  None of us have a crystal ball to tell us how IPv6 will end up
> being deployed.
>

That is a good point. Regardless of whether I have NAT for IPv6, I will most
certainly operate with inbound connections disabled by default. That has
saved me against all manner of network worms.

One of the features of Stuxnet was that it attacked certain network attached
printers. I have at least two printers that are more than ten years old and
I could not justify paying the $3500 they would cost to replace new. Neither
is supported by the vendor so patches do not exist.

We really need to have the platform vendors provide an infrastructure to
support authenticated port management so that ports are opened for specific,
permissioned applications and not end up with hosts being thrown into DMZ by
default.



> Having said all that, I'm curious what makes the IESG believe they have the
> authority to impose any such future vision/goal on WG proposed standards.  I
> don't believe RFC 3710, 2026 nor 2418 gives the IESG such discretion.  I
> could be misreading those RFCs, but I believe the criteria the IESG should
> be using are in RFC 2026 sections 4.1.1 and 6.1.2, and they're fairly
> limited.


That should be the function of the IAB. But ever since the infamous Kobe
disaster it has not performed that function and neither has anyone else.

-- 
Website: http://hallambaker.com/