Re: [fw-wiz] IPv6 support in firewalls

Hi, wizards,

On Thu, Aug 23, 2007 at 02:42:03PM -0400, Dave Piscitello wrote:
Marcus, a proposal nearly identical to what you suggest was one of the first
presented at the IETF in the mid-1990s. At the time, the intelligentiaTF
poo-pooed it as not being sufficiently forward-looking and innovative. It
didn't consider 64-bit alignment. It didn't *fix* options. It didn't *fix*
QOS. It didn't accommodate IP security in a "native" manner.

Happily, time wounds all heels. Over a decade later, and we've bent,
twisted, tunneled, re-mapped, stretched, and NAT'd IPv4 until it does
everything IPv6 promised - and now, all IPv6 brings to the table is a bigger
field for addresses and an ungainly, unwanted and arguably unwarrantable
transition scenario.

IPv6 brings back the end-to-end principle and NAT its well-deserved
death. This alone should be enough reason to go for it.

And I don't see what should be paticularly more difficult to
implement in an IPv6 based application level gateway than in
an IPv4 based one. Terminate both connections in a proxy process
instead of messing with headers. Simple and effective.

OK, honestly, I cannot write an "IPv6" firewall on a jug of beer
and I don't claim I could. But some vendors got it mostly right
for IPv4 simply by using transparent proxy processes instead
of "deep adaptive whatever inspection".

And a TCP connection carrying HTTP is a TCP connection carrying
HTTP regardless of the layer 3 protocol. I expect the few remaining
ALG vendors to be the first to have proper IPv6 capable solutions
for this simple architectural reason.

Kind regards,
Patrick M. Hausen
Leiter Netzwerke und Sicherheit
-- GmbH * Vorholzstr. 25 * 76137 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
Gf: Jürgen Egeling AG Mannheim 108285
firewall-wizards mailing list