IETF Logo Mail Archive

Re: [v6ops] Thoughts about wider operational input

Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 04 April 2022 22:46 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BDDC3A15EB for <v6ops@ietfa.amsl.com>; Mon, 4 Apr 2022 15:46:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.109
X-Spam-Level:
X-Spam-Status: No, score=-7.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bnTyga8b0tNi for <v6ops@ietfa.amsl.com>; Mon, 4 Apr 2022 15:46:35 -0700 (PDT)
Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C4D53A15D7 for <v6ops@ietf.org>; Mon, 4 Apr 2022 15:46:35 -0700 (PDT)
Received: by mail-pj1-x102e.google.com with SMTP id c15-20020a17090a8d0f00b001c9c81d9648so759789pjo.2 for <v6ops@ietf.org>; Mon, 04 Apr 2022 15:46:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=73L/zr1N2rEFzIR0twNnclOXocFrdHM50uqVB5rP5P0=; b=kdV9hZDabq2l2VCTIXOx20Xz69mq2xpjUDFjD7JD3JX43pSztANoK6gJJvisVmOOH6 jthlaWqCmty4cLwgslELIy1UciUDTqid699QzILQfbvHLfkWjs7uJpikC9P+jVg8AAFl mvB0CTHs8nf+YLyVyxLazgjSEu5WOHrl/Rhf3s5mgqfHzRwDV1eFLBOix4lQe+TysWSM 62DdxIrTOUPsnIG7PZM9LdPOU4NJx8XgjpUgIq/BK2lYD4256D4PNVKc2oJIfHlc9gTo b2zePnboQMP19rXhrkontDGB5hUEyahFBwF5WdEOncTJ1k/N98xmn+t9/18ZPxqxLOB0 sr+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=73L/zr1N2rEFzIR0twNnclOXocFrdHM50uqVB5rP5P0=; b=PCulVNY6L9mXU14GmimrMA7St/fs3JzKcAcqaTIerZY6k1W6yqfkteL0vDGt4Tnvtj JQwtt6GaDcHkUBxaAfkEC9gN1OGVSDb8OhV+aKoujOC229DC74aVYY5NeGvrSke6cYum TEkgaoqEhORwLsHH4tWiBngu2eilOIZXYDFnXdUwOSCPz99qrxujFJ4P0LZSiLQURfuV K/FYkML6fC5BLnza8jxhcu/anDqmEuXxVhNHdGZa1Bz8SKt/Uy0CimSrkRhGboFzIqRK +huNovZKmPW9PbMvUWTft5Ufu9icwABk98MYBfc/SbnM38nexkZs6MBK8dRY1slvNOtX iO5g==
X-Gm-Message-State: AOAM531r3p8bSwf7LlAs062lhvyvzjbTE9/WHzX8lX/eaanu03ULnK0x KXYiAjBYF/CK3hAgtv8X9WQstdcMefX1Cw==
X-Google-Smtp-Source: ABdhPJz0NfHe7BlmXIZkMJkOFQ8WibZ8o8zrq4LqOsoKDndeCp4A4wEEtqJaRKV0802bu9YEoFBRRg==
X-Received: by 2002:a17:902:f205:b0:156:8e8a:b92b with SMTP id m5-20020a170902f20500b001568e8ab92bmr315901plc.174.1649112394150; Mon, 04 Apr 2022 15:46:34 -0700 (PDT)
Received: from ?IPv6:2406:e003:1005:b501:80b2:5c79:2266:e431? ([2406:e003:1005:b501:80b2:5c79:2266:e431]) by smtp.gmail.com with ESMTPSA id s11-20020a056a00178b00b004fb1997b775sm14037676pfg.10.2022.04.04.15.46.32 for <v6ops@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 04 Apr 2022 15:46:33 -0700 (PDT)
To: v6ops@ietf.org
References: <52661a3d-75dc-111a-3f23-09b10d7cb8d4@gmail.com> <A72CDDDB-CDCE-4EAF-B95E-997C764DB2C4@gmail.com> <9175dc32-45c1-e948-c20a-3bcc958b77b9@gmail.com> <YjmJQMNgnJoSInUw@Space.Net> <D75EF08F-6A41-41B2-AFB2-649CBCC1D83E@consulintel.es> <CAPt1N1nRnYUFA=yyJHx6t52yqWbmcd2Tf1H8gQuCZBd3Q3VqJw@mail.gmail.com> <7F4AEB43-4B24-4A21-AE9D-3EB512B98C46@consulintel.es> <8fac4314b8244ba6b33eea68694296d0@huawei.com> <9A13E47B-75D0-443F-9EE9-D2917ACB2D0F@consulintel.es> <CAO42Z2xUG+BXj+VQpajed9aGjH+q-HR7RX7C-T4DsTbouz7xWQ@mail.gmail.com> <F6A90BBF-7F44-403E-960A-8F756353B562@chinatelecom.cn> <B49417F7-3EFB-4A4D-9D1A-0D21574EA4F2@consulintel.es> <44B01ACA-3D5C-4618-B608-3B3479D29875@consulintel.es> <62447DCB.1010206@jmaimon.com> <7228D9A7-54A8-4BAE-9299-204C049F600B@consulintel.es> <de1d6cf9-ce16-4347-dfdf-17a427468199@gmail.com> <70C561C0-F518-4AEF-8AD1-35F871D37C03@consulintel.es> <3899c280da354ee586d2e3e0c381c9c4@huawei.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <5311f6d9-e7a7-d050-f8f1-617937c21e31@gmail.com>
Date: Tue, 05 Apr 2022 10:46:30 +1200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <3899c280da354ee586d2e3e0c381c9c4@huawei.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/oAE8Ua-X13bn8d84Hx815-lAA3g>
Subject: Re: [v6ops] Thoughts about wider operational input
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Apr 2022 22:46:41 -0000

Indeed, for large enterprises that is true. But surely vendors should be motivated to provide single-box solutions for medium size enterprises?

Regards
    Brian

On 04-Apr-22 23:20, Vasilenko Eduard wrote:
> In reality, it is not easy to have a good firewall and Router at the same time even for a software box.
> There were times when I was working for a famous vendor that has a firewall and router as strictly separate devices.
> This vendor told Enterprises that it is good because the router and firewall are typically managed by different departments.
> And because FW for the Enterprise market should have a lot of features that are not available on combo devices.
> 
> My point here: do not assume that it would be easy in all cases to activate FW on the CPE.
> Ed/
> -----Original Message-----
> From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of JORDI PALET MARTINEZ
> Sent: Monday, April 4, 2022 1:20 PM
> To: v6ops@ietf.org
> Subject: Re: [v6ops] Thoughts about wider operational input
> 
> Yep, that's part of the problem.
> 
> I don't think typically "non-home-oriented-CPEs" have an IPv6 firewall, 
or at least not enabled by default.
> 
> "small" SMEs most of the time use the same connectivity as a household subscriber, so most of the time the same "home-oriented-CPE".
> 
> If we move to medium SMEs, and of course, enterprises, they should have, in addition to the CPE, a firewall. It may happen that in many cases, they have it, but not neccesarily all.
> 
> Regards,
> Jordi
> @jordipalet
>   
>   
> 
> El 30/3/22, 23:16, "v6ops en nombre de Brian E Carpenter" <v6ops-bounces@ietf.org en nombre de brian.e.carpenter@gmail.com> escribió:
> 
>      Jordi,
> 
>      As we all know, home gateways that support IPv6 are shipped with a 
quite adequate default firewall configuration. Is there a good specification for a default firewall configuration for an SME CE router?
> 
>      Probably this isn't realistic for large enterprises?
> 
>          Brian
>      On 31-Mar-22 07:27, JORDI PALET MARTINEZ wrote:
>      > Because if you don't have NAT, you are forced to properly configure a firewall.
>      >
>      > With a NAT, many don't even have a firewall or is not sufficiently well
>      configured.
>      >
>      > Regards,
>      > Jordi
>      > @jordipalet
>      >
>      >
>      >
>      > El 30/3/22, 17:58, "v6ops en nombre de Joe Maimon" <v6ops-bounces@ietf.org en nombre de jmaimon@jmaimon.com> escribió:
>      >
>      >
>      >
>      >      JORDI PALET MARTINEZ wrote:
>      >      >
>      >      > To demonstrate how NAT is not security, you just need to enable Teredo
>      >      > or any other UDP tunneling traversing the NAT, so the security guys
>      >      > can see that without any special config in the NAT, you can dig a
>      >      > whole on it (Teredo Navalis = Shipworm).
>      >      >
>      >      > Regards,
>      >      >
>      >      > Jordi
>      >      >
>      >      > @jordipalet
>      >      >
>      >
>      >      And then you need to demonstrate how the equivalent would not happen on
>      >      IPv6.
>      >
>      >      Joe
>      >
>      >      _______________________________________________
>      >      v6ops mailing list
>      >      v6ops@ietf.org
>      >      https://www.ietf.org/mailman/listinfo/v6ops
>      >
>      >
>      >
>      > **********************************************
>      > IPv4 is over
>      > Are you ready for the new Internet ?
>      > http://www.theipv6company.com
>      > The IPv6 Company
>      >
>      > This electronic message contains information which may be privileged or
>      confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is
>      strictly prohibited, will be considered a criminal offense, so you 
must reply to the original sender to inform about this communication and delete
>      it.
>      >
>      >
>      >
>      > _______________________________________________
>      > v6ops mailing list
>      > v6ops@ietf.org
>      > https://www.ietf.org/mailman/listinfo/v6ops
>      >
> 
>      _______________________________________________
>      v6ops mailing list
>      v6ops@ietf.org
>      https://www.ietf.org/mailman/listinfo/v6ops
> 
> 
> 
> **********************************************
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
> 
> This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is 
strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete 
it.
> 
> 
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email