Re: [v6ops] draft-ietf-v6ops-enterprise-incremental-ipv6 WGLC

Tom Perrine <tperrine@scea.com> Wed, 21 August 2013 17:19 UTC

Return-Path: <tperrine@scea.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94BF611E8268 for <v6ops@ietfa.amsl.com>; Wed, 21 Aug 2013 10:19:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4DEKzdyD4qsU for <v6ops@ietfa.amsl.com>; Wed, 21 Aug 2013 10:19:44 -0700 (PDT)
Received: from ironport03a.scea.com (ironport03a.scea.com [160.33.44.91]) by ietfa.amsl.com (Postfix) with ESMTP id 8F4A411E8395 for <v6ops@ietf.org>; Wed, 21 Aug 2013 10:19:44 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.89,929,1367996400"; d="scan'208";a="1226260"
Received: from inbetweener02.scea.com ([160.33.45.196]) by ironport03a.scea.com with ESMTP; 21 Aug 2013 10:19:40 -0700
Received: from sd-tperrine-mpl.local (unknown [10.56.0.12]) by inbetweener02.scea.com (Postfix) with ESMTP id BDD10B835A for <v6ops@ietf.org>; Wed, 21 Aug 2013 10:19:40 -0700 (PDT)
Message-ID: <5214F6AC.8070105@scea.com>
Date: Wed, 21 Aug 2013 10:19:40 -0700
From: Tom Perrine <tperrine@scea.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: v6ops@ietf.org
References: <201308041800.r74I03pC023049@irp-view13.cisco.com> <3374_1375690984_51FF60E8_3374_427_1_983A1D8DA0DA5F4EB747BF34CBEE5CD15C5041E1E5@PUEXCB1C.nanterre.francetelecom.fr> <8C48B86A895913448548E6D15DA7553B96E2C5@xmb-rcd-x09.cisco.com> <CAKD1Yr13GK_cuvkt2LpJ1qJo2NR8eUnY-xfwMF_zWfe0P1mm9g@mail.gmail.com> <8C48B86A895913448548E6D15DA7553B96EAE7@xmb-rcd-x09.cisco.com> <CAKD1Yr2_d=4uD1W4WcQ82rupjVJ4UmmQAQmtSY+aQgTXmscNUw@mail.gmail.com> <97EB7536A2B2C549846804BBF3FD47E113128FA2@xmb-aln-x02.cisco.com> <CA6D42D0F8A41948AEB3864480C554F104AE7A3F@xmb-rcd-x10.cisco.com> <C00B4018-6FEE-441C-B807-B1126101CE6D@delong.com> <CA6D42D0F8A41948AEB3864480C554F104AEAABE@xmb-rcd-x10.cisco.com> <520945FF.4000700@gmail.com>
In-Reply-To: <520945FF.4000700@gmail.com>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [v6ops] draft-ietf-v6ops-enterprise-incremental-ipv6 WGLC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2013 17:19:49 -0000

On 8/12/13 1:30 PM, Brian E Carpenter wrote:
> On 12/08/2013 17:27, Arie Vayner (avayner) wrote:
>> Owen,
>>
>> While the arguments about moving the firewalls closer to the users are valid they are often are not practical (or at least the customers I worked with would not implement this option).
>> Imagine an enterprise network with 300 spoke sites, but only 2 or 3 Internet gateway locations (with some private WAN in between).
>> Moving the firewalls to the spoke sites would increase the number of firewalls from ~3 to ~300 (I am ignoring redundancy and scale for a second)... This is a major CAPEX and OPEX impact...
> 
> Clearly DOS and scanning protection has to be done as close to the Internet
> border routers as possible, and there your logic applies.
> 
> However, as Steve Bellovin pointed out many years ago, the best number of
> firewalls for upper layer protection is one per host, which scales nicely
> and has less CAPEX and OPEX than middlebox firewalls will ever have.

SDSC.EDU ran a major HPC center without border firewalls for the 10 years I was there (1993-2003), and still does.

"Firewalls are for things too stupid to protect themselves" was the design principle I put in place then, and it can
still be valid today, if you have very good host management.

You can manage all of those on-host firewalls as a single large virtual firewall, whether it is Puppet/cfengine +
iptables, or your Windows host management tool of choice.

None of this is IPv6-specific, it just seems that people want to use "OMG firewalls!!!!!" as a reason to avoid moving to
IPv6.  Same arguments, different advancement they are trying to avoid, different decade.