IETF Logo Mail Archive

Re: [v6ops] Thoughts about wider operational input

Vasilenko Eduard <vasilenko.eduard@huawei.com> Tue, 05 April 2022 07:20 UTC

Return-Path: <vasilenko.eduard@huawei.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7F2E3A21A4 for <v6ops@ietfa.amsl.com>; Tue, 5 Apr 2022 00:20:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RLJ150ZLjcbv for <v6ops@ietfa.amsl.com>; Tue, 5 Apr 2022 00:20:47 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 775093A219E for <v6ops@ietf.org>; Tue, 5 Apr 2022 00:20:47 -0700 (PDT)
Received: from fraeml701-chm.china.huawei.com (unknown [172.18.147.207]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4KXfC85BBGz687y2; Tue, 5 Apr 2022 15:19:00 +0800 (CST)
Received: from mscpeml500001.china.huawei.com (7.188.26.142) by fraeml701-chm.china.huawei.com (10.206.15.50) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2375.24; Tue, 5 Apr 2022 09:20:44 +0200
Received: from mscpeml500001.china.huawei.com (7.188.26.142) by mscpeml500001.china.huawei.com (7.188.26.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Tue, 5 Apr 2022 10:20:43 +0300
Received: from mscpeml500001.china.huawei.com ([7.188.26.142]) by mscpeml500001.china.huawei.com ([7.188.26.142]) with mapi id 15.01.2375.024; Tue, 5 Apr 2022 10:20:43 +0300
From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, "v6ops@ietf.org" <v6ops@ietf.org>
Thread-Topic: [v6ops] Thoughts about wider operational input
Thread-Index: AQHYPWL+5ay9cZSrXUWG+DzsIaGQi6zKIZgAgAAMoQCAAA6FAIAApH4AgAALFICAAAQtAIAAAngAgABbovCADAHPXoAAAh4AgAAO+ICAAHdLgIAACJmAgAAPIoCAACoCAIAALtsAgAckugCAAEFA4IAAjzwAgADAkgA=
Date: Tue, 05 Apr 2022 07:20:43 +0000
Message-ID: <8b6ad52a31594daba13b86c0239a3483@huawei.com>
References: <52661a3d-75dc-111a-3f23-09b10d7cb8d4@gmail.com> <A72CDDDB-CDCE-4EAF-B95E-997C764DB2C4@gmail.com> <9175dc32-45c1-e948-c20a-3bcc958b77b9@gmail.com> <YjmJQMNgnJoSInUw@Space.Net> <D75EF08F-6A41-41B2-AFB2-649CBCC1D83E@consulintel.es> <CAPt1N1nRnYUFA=yyJHx6t52yqWbmcd2Tf1H8gQuCZBd3Q3VqJw@mail.gmail.com> <7F4AEB43-4B24-4A21-AE9D-3EB512B98C46@consulintel.es> <8fac4314b8244ba6b33eea68694296d0@huawei.com> <9A13E47B-75D0-443F-9EE9-D2917ACB2D0F@consulintel.es> <CAO42Z2xUG+BXj+VQpajed9aGjH+q-HR7RX7C-T4DsTbouz7xWQ@mail.gmail.com> <F6A90BBF-7F44-403E-960A-8F756353B562@chinatelecom.cn> <B49417F7-3EFB-4A4D-9D1A-0D21574EA4F2@consulintel.es> <44B01ACA-3D5C-4618-B608-3B3479D29875@consulintel.es> <62447DCB.1010206@jmaimon.com> <7228D9A7-54A8-4BAE-9299-204C049F600B@consulintel.es> <de1d6cf9-ce16-4347-dfdf-17a427468199@gmail.com> <70C561C0-F518-4AEF-8AD1-35F871D37C03@consulintel.es> <3899c280da354ee586d2e3e0c381c9c4@huawei.com> <5311f6d9-e7a7-d050-f8f1-617937c21e31@gmail.com>
In-Reply-To: <5311f6d9-e7a7-d050-f8f1-617937c21e31@gmail.com>
Accept-Language: zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.81.197.18]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/kc2A6sbv-wsm6-7iuIKBtRGjB4M>
Subject: Re: [v6ops] Thoughts about wider operational input
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Apr 2022 07:20:53 -0000

The vendor where I am working now is telling that it is exactly 2x cheaper on OPEX and CAPEX to have 1 box in every branch instead of 2. And claim that there is not any compromise on features for the combo device.
But it does not address the situation if FWs are managed by the security department on the Enterprise side.
And the vendor that is pushing separate devices is still there. They believe that 2x revenue is better.
Ed/
-----Original Message-----
From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of Brian E Carpenter
Sent: Tuesday, April 5, 2022 1:47 AM
To: v6ops@ietf.org
Subject: Re: [v6ops] Thoughts about wider operational input

Indeed, for large enterprises that is true. But surely vendors should be motivated to provide single-box solutions for medium size enterprises?

Regards
    Brian

On 04-Apr-22 23:20, Vasilenko Eduard wrote:
> In reality, it is not easy to have a good firewall and Router at the same time even for a software box.
> There were times when I was working for a famous vendor that has a firewall and router as strictly separate devices.
> This vendor told Enterprises that it is good because the router and firewall are typically managed by different departments.
> And because FW for the Enterprise market should have a lot of features that are not available on combo devices.
> 
> My point here: do not assume that it would be easy in all cases to activate FW on the CPE.
> Ed/
> -----Original Message-----
> From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of JORDI PALET 
> MARTINEZ
> Sent: Monday, April 4, 2022 1:20 PM
> To: v6ops@ietf.org
> Subject: Re: [v6ops] Thoughts about wider operational input
> 
> Yep, that's part of the problem.
> 
> I don't think typically "non-home-oriented-CPEs" have an IPv6 
> firewall,
or at least not enabled by default.
> 
> "small" SMEs most of the time use the same connectivity as a household subscriber, so most of the time the same "home-oriented-CPE".
> 
> If we move to medium SMEs, and of course, enterprises, they should have, in addition to the CPE, a firewall. It may happen that in many cases, they have it, but not neccesarily all.
> 
> Regards,
> Jordi
> @jordipalet
>   
>   
> 
> El 30/3/22, 23:16, "v6ops en nombre de Brian E Carpenter" <v6ops-bounces@ietf.org en nombre de brian.e.carpenter@gmail.com> escribió:
> 
>      Jordi,
> 
>      As we all know, home gateways that support IPv6 are shipped with 
> a
quite adequate default firewall configuration. Is there a good specification for a default firewall configuration for an SME CE router?
> 
>      Probably this isn't realistic for large enterprises?
> 
>          Brian
>      On 31-Mar-22 07:27, JORDI PALET MARTINEZ wrote:
>      > Because if you don't have NAT, you are forced to properly configure a firewall.
>      >
>      > With a NAT, many don't even have a firewall or is not sufficiently well
>      configured.
>      >
>      > Regards,
>      > Jordi
>      > @jordipalet
>      >
>      >
>      >
>      > El 30/3/22, 17:58, "v6ops en nombre de Joe Maimon" <v6ops-bounces@ietf.org en nombre de jmaimon@jmaimon.com> escribió:
>      >
>      >
>      >
>      >      JORDI PALET MARTINEZ wrote:
>      >      >
>      >      > To demonstrate how NAT is not security, you just need to enable Teredo
>      >      > or any other UDP tunneling traversing the NAT, so the security guys
>      >      > can see that without any special config in the NAT, you can dig a
>      >      > whole on it (Teredo Navalis = Shipworm).
>      >      >
>      >      > Regards,
>      >      >
>      >      > Jordi
>      >      >
>      >      > @jordipalet
>      >      >
>      >
>      >      And then you need to demonstrate how the equivalent would not happen on
>      >      IPv6.
>      >
>      >      Joe
>      >
>      >      _______________________________________________
>      >      v6ops mailing list
>      >      v6ops@ietf.org
>      >      https://www.ietf.org/mailman/listinfo/v6ops
>      >
>      >
>      >
>      > **********************************************
>      > IPv4 is over
>      > Are you ready for the new Internet ?
>      > http://www.theipv6company.com
>      > The IPv6 Company
>      >
>      > This electronic message contains information which may be privileged or
>      confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is
>      strictly prohibited, will be considered a criminal offense, so 
> you
must reply to the original sender to inform about this communication and delete
>      it.
>      >
>      >
>      >
>      > _______________________________________________
>      > v6ops mailing list
>      > v6ops@ietf.org
>      > https://www.ietf.org/mailman/listinfo/v6ops
>      >
> 
>      _______________________________________________
>      v6ops mailing list
>      v6ops@ietf.org
>      https://www.ietf.org/mailman/listinfo/v6ops
> 
> 
> 
> **********************************************
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
> 
> This electronic message contains information which may be privileged 
> or
confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
> 
> 
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
> 

_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email