Re: [v6ops] draft-ietf-v6ops-enterprise-incremental-ipv6 WGLC

Tom Perrine <> Wed, 21 August 2013 17:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 94BF611E8268 for <>; Wed, 21 Aug 2013 10:19:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4DEKzdyD4qsU for <>; Wed, 21 Aug 2013 10:19:44 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 8F4A411E8395 for <>; Wed, 21 Aug 2013 10:19:44 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.89,929,1367996400"; d="scan'208";a="1226260"
Received: from ([]) by with ESMTP; 21 Aug 2013 10:19:40 -0700
Received: from sd-tperrine-mpl.local (unknown []) by (Postfix) with ESMTP id BDD10B835A for <>; Wed, 21 Aug 2013 10:19:40 -0700 (PDT)
Message-ID: <>
Date: Wed, 21 Aug 2013 10:19:40 -0700
From: Tom Perrine <>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [v6ops] draft-ietf-v6ops-enterprise-incremental-ipv6 WGLC
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Aug 2013 17:19:49 -0000

On 8/12/13 1:30 PM, Brian E Carpenter wrote:
> On 12/08/2013 17:27, Arie Vayner (avayner) wrote:
>> Owen,
>> While the arguments about moving the firewalls closer to the users are valid they are often are not practical (or at least the customers I worked with would not implement this option).
>> Imagine an enterprise network with 300 spoke sites, but only 2 or 3 Internet gateway locations (with some private WAN in between).
>> Moving the firewalls to the spoke sites would increase the number of firewalls from ~3 to ~300 (I am ignoring redundancy and scale for a second)... This is a major CAPEX and OPEX impact...
> Clearly DOS and scanning protection has to be done as close to the Internet
> border routers as possible, and there your logic applies.
> However, as Steve Bellovin pointed out many years ago, the best number of
> firewalls for upper layer protection is one per host, which scales nicely
> and has less CAPEX and OPEX than middlebox firewalls will ever have.

SDSC.EDU ran a major HPC center without border firewalls for the 10 years I was there (1993-2003), and still does.

"Firewalls are for things too stupid to protect themselves" was the design principle I put in place then, and it can
still be valid today, if you have very good host management.

You can manage all of those on-host firewalls as a single large virtual firewall, whether it is Puppet/cfengine +
iptables, or your Windows host management tool of choice.

None of this is IPv6-specific, it just seems that people want to use "OMG firewalls!!!!!" as a reason to avoid moving to
IPv6.  Same arguments, different advancement they are trying to avoid, different decade.