[ipv6hackers] Implications of IPv6 on network firewalls

Marco Ermini marco.ermini at gmail.com
Fri Dec 16 12:24:28 CET 2011


On 24 November 2011 23:38, Fernando Gont wrote:
[...]
> I consider "basic functionality" that which parallels what we currently
> do with IPv4.
[...]

Maybe the problem lies in what we consider "basic functionality".

Personally I believe that IPv4 and IPv6 have simply different scopes
of usage. It is incorrect to simply match 1:1 their functionality.

IPSec support is (or at least, was until some time ago...) a MANDATORY
functionality in IPv6, therefore I would consider this "basic",
although we may argue about what do we mean with "basic".

BTW, almost all of the routers/firewalls on the market have an
implicit "deny ip any any" at the end of the ACLs - at least this is
true for Juniper's JunOS (although JunOS also allows changing the
default behaviour) and in Cisco's that's true since very old PIXes.


Regards
-- 
Marco Ermini
root at human # mount -t life -o ro /dev/dna /genetic/research
http://www.linkedin.com/in/marcoermini
"Jesus saves... but Buddha makes incremental back-ups!"



More information about the Ipv6hackers mailing list