IETF Logo Mail Archive

Re: [v6ops] Thoughts about wider operational input

Vasilenko Eduard <vasilenko.eduard@huawei.com> Mon, 04 April 2022 11:20 UTC

Return-Path: <vasilenko.eduard@huawei.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15D823A20D9 for <v6ops@ietfa.amsl.com>; Mon, 4 Apr 2022 04:20:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uGdEpeAywkAk for <v6ops@ietfa.amsl.com>; Mon, 4 Apr 2022 04:20:36 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCA9C3A20C4 for <v6ops@ietf.org>; Mon, 4 Apr 2022 04:20:35 -0700 (PDT)
Received: from fraeml712-chm.china.huawei.com (unknown [172.18.147.207]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4KX7Yy3h6Xz6855X for <v6ops@ietf.org>; Mon, 4 Apr 2022 19:18:30 +0800 (CST)
Received: from mscpeml100002.china.huawei.com (7.188.26.75) by fraeml712-chm.china.huawei.com (10.206.15.61) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Mon, 4 Apr 2022 13:20:30 +0200
Received: from mscpeml500001.china.huawei.com (7.188.26.142) by mscpeml100002.china.huawei.com (7.188.26.75) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Mon, 4 Apr 2022 14:20:29 +0300
Received: from mscpeml500001.china.huawei.com ([7.188.26.142]) by mscpeml500001.china.huawei.com ([7.188.26.142]) with mapi id 15.01.2375.024; Mon, 4 Apr 2022 14:20:29 +0300
From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
To: JORDI PALET MARTINEZ <jordi.palet=40consulintel.es@dmarc.ietf.org>, "v6ops@ietf.org" <v6ops@ietf.org>
Thread-Topic: [v6ops] Thoughts about wider operational input
Thread-Index: AQHYPWL+5ay9cZSrXUWG+DzsIaGQi6zKIZgAgAAMoQCAAA6FAIAApH4AgAALFICAAAQtAIAAAngAgABbovCADAHPXoAAAh4AgAAO+ICAAHdLgIAACJmAgAAPIoCAACoCAIAALtsAgAckugCAAEFA4A==
Date: Mon, 04 Apr 2022 11:20:29 +0000
Message-ID: <3899c280da354ee586d2e3e0c381c9c4@huawei.com>
References: <52661a3d-75dc-111a-3f23-09b10d7cb8d4@gmail.com> <A72CDDDB-CDCE-4EAF-B95E-997C764DB2C4@gmail.com> <9175dc32-45c1-e948-c20a-3bcc958b77b9@gmail.com> <YjmJQMNgnJoSInUw@Space.Net> <D75EF08F-6A41-41B2-AFB2-649CBCC1D83E@consulintel.es> <CAPt1N1nRnYUFA=yyJHx6t52yqWbmcd2Tf1H8gQuCZBd3Q3VqJw@mail.gmail.com> <7F4AEB43-4B24-4A21-AE9D-3EB512B98C46@consulintel.es> <8fac4314b8244ba6b33eea68694296d0@huawei.com> <9A13E47B-75D0-443F-9EE9-D2917ACB2D0F@consulintel.es> <CAO42Z2xUG+BXj+VQpajed9aGjH+q-HR7RX7C-T4DsTbouz7xWQ@mail.gmail.com> <F6A90BBF-7F44-403E-960A-8F756353B562@chinatelecom.cn> <B49417F7-3EFB-4A4D-9D1A-0D21574EA4F2@consulintel.es> <44B01ACA-3D5C-4618-B608-3B3479D29875@consulintel.es> <62447DCB.1010206@jmaimon.com> <7228D9A7-54A8-4BAE-9299-204C049F600B@consulintel.es> <de1d6cf9-ce16-4347-dfdf-17a427468199@gmail.com> <70C561C0-F518-4AEF-8AD1-35F871D37C03@consulintel.es>
In-Reply-To: <70C561C0-F518-4AEF-8AD1-35F871D37C03@consulintel.es>
Accept-Language: zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.81.195.210]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/b7uY1vyyJL_APg5SokVTiz40KNo>
Subject: Re: [v6ops] Thoughts about wider operational input
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Apr 2022 11:20:41 -0000

In reality, it is not easy to have a good firewall and Router at the same time even for a software box.
There were times when I was working for a famous vendor that has a firewall and router as strictly separate devices.
This vendor told Enterprises that it is good because the router and firewall are typically managed by different departments.
And because FW for the Enterprise market should have a lot of features that are not available on combo devices.

My point here: do not assume that it would be easy in all cases to activate FW on the CPE.
Ed/
-----Original Message-----
From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of JORDI PALET MARTINEZ
Sent: Monday, April 4, 2022 1:20 PM
To: v6ops@ietf.org
Subject: Re: [v6ops] Thoughts about wider operational input

Yep, that's part of the problem.

I don't think typically "non-home-oriented-CPEs" have an IPv6 firewall, or at least not enabled by default.

"small" SMEs most of the time use the same connectivity as a household subscriber, so most of the time the same "home-oriented-CPE".

If we move to medium SMEs, and of course, enterprises, they should have, in addition to the CPE, a firewall. It may happen that in many cases, they have it, but not neccesarily all.

Regards,
Jordi
@jordipalet
 
 

El 30/3/22, 23:16, "v6ops en nombre de Brian E Carpenter" <v6ops-bounces@ietf.org en nombre de brian.e.carpenter@gmail.com> escribió:

    Jordi,

    As we all know, home gateways that support IPv6 are shipped with a quite adequate default firewall configuration. Is there a good specification for a default firewall configuration for an SME CE router?

    Probably this isn't realistic for large enterprises?

        Brian
    On 31-Mar-22 07:27, JORDI PALET MARTINEZ wrote:
    > Because if you don't have NAT, you are forced to properly configure a firewall.
    > 
    > With a NAT, many don't even have a firewall or is not sufficiently well 
    configured.
    > 
    > Regards,
    > Jordi
    > @jordipalet
    >   
    >   
    > 
    > El 30/3/22, 17:58, "v6ops en nombre de Joe Maimon" <v6ops-bounces@ietf.org en nombre de jmaimon@jmaimon.com> escribió:
    > 
    > 
    > 
    >      JORDI PALET MARTINEZ wrote:
    >      >
    >      > To demonstrate how NAT is not security, you just need to enable Teredo
    >      > or any other UDP tunneling traversing the NAT, so the security guys
    >      > can see that without any special config in the NAT, you can dig a
    >      > whole on it (Teredo Navalis = Shipworm).
    >      >
    >      > Regards,
    >      >
    >      > Jordi
    >      >
    >      > @jordipalet
    >      >
    > 
    >      And then you need to demonstrate how the equivalent would not happen on
    >      IPv6.
    > 
    >      Joe
    > 
    >      _______________________________________________
    >      v6ops mailing list
    >      v6ops@ietf.org
    >      https://www.ietf.org/mailman/listinfo/v6ops
    > 
    > 
    > 
    > **********************************************
    > IPv4 is over
    > Are you ready for the new Internet ?
    > http://www.theipv6company.com
    > The IPv6 Company
    > 
    > This electronic message contains information which may be privileged or 
    confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is 
    strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete 
    it.
    > 
    > 
    > 
    > _______________________________________________
    > v6ops mailing list
    > v6ops@ietf.org
    > https://www.ietf.org/mailman/listinfo/v6ops
    > 

    _______________________________________________
    v6ops mailing list
    v6ops@ietf.org
    https://www.ietf.org/mailman/listinfo/v6ops



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.



_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email