IETF Logo Mail Archive

Re: [v6ops] Operational Consensus on deployment

Ross Chandler <ross@eircom.net> Wed, 06 August 2014 18:56 UTC

Return-Path: <ross@eircom.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72FB61A008E for <v6ops@ietfa.amsl.com>; Wed, 6 Aug 2014 11:56:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X0Lgg-0hpzcx for <v6ops@ietfa.amsl.com>; Wed, 6 Aug 2014 11:56:31 -0700 (PDT)
Received: from mail14.svc.cra.dublin.eircom.net (mail14.svc.cra.dublin.eircom.net [159.134.118.30]) by ietfa.amsl.com (Postfix) with SMTP id EA45D1A003A for <v6ops@ietf.org>; Wed, 6 Aug 2014 11:56:30 -0700 (PDT)
Received: (qmail 89793 messnum 2097245 invoked from network[213.94.190.12/avas01.vendorsvc.cra.dublin.eircom.net]); 6 Aug 2014 18:56:30 -0000
Received: from avas01.vendorsvc.cra.dublin.eircom.net (213.94.190.12) by mail14.svc.cra.dublin.eircom.net (qp 89793) with SMTP; 6 Aug 2014 18:56:30 -0000
Received: from mac1.home.ross.net ([159.134.196.35]) by avas01.vendorsvc.cra.dublin.eircom.net with Cloudmark Gateway id bWwS1o00Y0mJ9Tz01WwVhq; Wed, 06 Aug 2014 19:56:29 +0100
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Ross Chandler <ross@eircom.net>
In-Reply-To: <53E13A3B.4050303@fud.no>
Date: Wed, 06 Aug 2014 19:55:42 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <27E6D704-7BDB-49A4-81F7-9A046527BC4F@eircom.net>
References: <256EAE0B-5C11-42C7-BCA1-CEC7EE6713A7@cisco.com> <53DFD634.4020304@fud.no> <DE860EBC-171E-46E7-A3B6-5E8B79A453CC@cisco.com> <53DFEC6C.3010707@gmail.com> <CAD6AjGRUWxT5XiNxMi_S5VgYtGMLb_FVHXN-ZfGpcY=geix15g@mail.gmail.com> <53E06AC9.9010908@fud.no> <4F7D76F6-BD81-453B-94DC-A3C3DFF68505@delong.com> <8600C096-37D0-4651-92C1-BCFDBA674433@nominum.com> <CAD6AjGTBfyT-zNDJtBKCNtRxd=Hi07678Sr_-HgSGYbjAiF3Tg@mail.gmail.com> <C5281716-DC04-42E6-AC82-0D53E5DA0284@nominum.com> <53E1236A.605@fud.no> <m1XEkJJ-0000BuC@stereo.hq.phicoh.net> <53E13A3B.4050303@fud.no>
To: IPv6 Ops WG <v6ops@ietf.org>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/tEPjD0EEIWRzFscv1EQERHIIJHE
Cc: Tore Anderson <tore@fud.no>
Subject: Re: [v6ops] Operational Consensus on deployment
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Aug 2014 18:56:33 -0000

On 5 Aug 2014, at 21:10, Tore Anderson <tore@fud.no> wrote:

> I would generally recommend locating the SIIT gateways as close to the
> edge of your network as possible. Ideally as a logical function located
> inside the border routers. That way, on the inside you can simply treat
> everything as IPv6, and have one IPv6 firewall, one IPv6 ACL, one IPv6
> IGP topology, and so on, and so on.


Another reason why the firewall should normally be on the IPv6 side is that asymmetric traffic might be flowing through the stateless SIIT gateway. Assuming that there’s more than one of them in different parts of the network.

Ross

v2.23.0 | Report a Bug | By Email