Re: [v6ops] Hmm. Interesting article...

[Tim Chown <tjc@ecs.soton.ac.uk>]

> On 2 Feb 2016, at 18:45, Fred Baker (fred) <fred@cisco.com> wrote:
> 
> 
>> On Feb 2, 2016, at 10:31 AM, Tim Chown <tjc@ecs.soton.ac.uk> wrote:
>> 
>>> There is an unaddressed tension here.
>>> I think one view is that IPv6 should be deployed without firewalls so all
>>> hosts are reachable from arbitrary other hosts on the Internet.
>>> I think the other view is that all/most/many hosts should be protected by
>>> a stateful firewall.
>>> 
>>> I don¹t know that we can resolve this tension in v6ops, but I want to make
>>> it explicit.
>> 
>> Well, we’ve seen a few firewall models put forward in v6ops. RFC 6092 seems
>> to have been generally well received. It may well be the only one that made it
>> to RFC status? e.g. draft-ietf-v6ops-balanced-ipv6-security-01 stopped at that
>> version.
> 
> That is explicitly why Fernando and I are trying to have a firewall discussion in opsawg (draft-gont-opsawg-firewalls-analysis). RFC 6092 is certainly a common firewall model (modeling a NAT's behavior), but I would say that the consensus supporting it was "rough". The other firewall models proposed (draft-ietf-v6ops-balanced-ipv6-security, draft-vyncke-advanced-ipv6-security) basically pushed towards firewall-as-a-service, and as such gutted the filter function.
> 
> I'll refer us to that discussion if we want to go general on firewall functionality.
> 
> My question here was essentially about finding a simple rule *on*the*host* that might obviate a lot of attacks and probing. The conclusion that I draw is that I can do anything I want as long as I don't change anything, and yes, my suggestion is a change. I actually do think there may be value in it, however.

I agree. And to me that seems fine - how the host handles the address(es) it uses to initiate or receive traffic is a matter for it, just as host-based filtering / access control is.

Tim