Re: [fw-wiz] IPv6 support in firewalls
- From: "Paul Melson" <pmelson@xxxxxxxxx>
- Date: Wed, 22 Aug 2007 20:11:58 -0400
On 8/22/07, Darren Reed <darrenr@xxxxxxxxxxxxxxxxx> wrote:
It's not just this, people today want to deploy/build large scale IP
networks where 10/8 isn't enough, not to mention giving those
addresses visibility to the Internet.
NOOOOO! One of the great things about the perceived scarcity of IPv4
space on the Internet is that it finally forced most of the
institutions that were still using public addresses for everything
with an Ethernet port in it to implement NAT (and thus a firewall of
some sort). For nearly two decades, K12's, .gov's, state & locals,
and .edu's just swung their entire network in the public address space
breeze. They rocked out with their netblock out, so to speak.
The thought of a return to that kind of "we've got plenty, put it on
the public net" makes my stomach turn. I turned over a few of those
rocks (putting once public address space behind firewalls and
reviewing the logs) and it wasn't pretty.
The only way that they can plan to do this is by specifying
that IPv6 is used - there is no other alternative.
I say we dust off IPX. Sure, it didn't natively support sockets, but
it had name resolution, server-less dynamic addressing is a snap (or
is that a SAP?), and you won't run out of address space before the
manufacturers do - built in provisioning control! :-)
Anyone want to start a pool/tab on when the sky will reach the ground? :)
We've been swimming in clouds for a long time.
firewall-wizards mailing list