IETF Logo Mail Archive

Re: Is Firewall mandatory for business?

Fernando Gont <fernando@gont.com.ar> Fri, 16 September 2022 19:23 UTC

Return-Path: <fernando@gont.com.ar>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5DF2C1524C8; Fri, 16 Sep 2022 12:23:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SsQ4Ah-xuzg8; Fri, 16 Sep 2022 12:23:18 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF567C1524C4; Fri, 16 Sep 2022 12:23:18 -0700 (PDT)
Received: from [10.0.0.137] (unknown [186.19.8.47]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 914212802DD; Fri, 16 Sep 2022 16:23:13 -0300 (-03)
Message-ID: <5a34ac6e-8fc0-c68d-0b86-62edffb6d608@gont.com.ar>
Date: Fri, 16 Sep 2022 16:23:11 -0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Subject: Re: Is Firewall mandatory for business?
Content-Language: en-US
To: Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org>, v6ops list <v6ops@ietf.org>, 6man <ipv6@ietf.org>
References: <c66332f7d7044918bd60151a4d2304a3@huawei.com> <becfed43-6326-20e2-91f3-f0cdd4141bdf@gont.com.ar> <cf6e559e7b9f4dbe857b84a46a288b7c@huawei.com>
From: Fernando Gont <fernando@gont.com.ar>
In-Reply-To: <cf6e559e7b9f4dbe857b84a46a288b7c@huawei.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/uUp7Nqf7dfN90R9_V25z3CgHn68>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Sep 2022 19:23:20 -0000

On 16/9/22 15:51, Vasilenko Eduard wrote:
> Hi Fernando,
> Thanks for the answer.
> 
>> 2) diode-like firewall functionality (as an inevitable side effect)
>> In IPv6, it supper common that you replace the NAT device with a firewall device/functionality, so that even when you lose #1, you get to keep #2.
> 
> Would you classify "diode-like firewall functionality" as End-to-End?

It would seem to me that every person has their own understanding of 
what e2e means.

For yet another point of view, you can check: 
https://datatracker.ietf.org/doc/html/draft-gont-opsawg-firewalls-analysis

In that light, yes, a firewall doesn't violate the e2e principle.

And, in any case, the e2e principle -- as in the puristic sense that 
only the endpoints/hosts look at the contents of IP packets -- is not 
how the public Internet operates. That train has left years (if not 
ages) ago.

Thanks,
-- 
Fernando Gont
e-mail: fernando@gont.com.ar
PGP Fingerprint: 7F7F 686D 8AC9 3319 EEAD C1C8 D1D5 4B94 E301 6F01

v2.23.0 | Report a Bug | By Email