ARIN-discuss Message

[arin-discuss] Trying to Understand IPV6


Robert E. Seastrom wrote:
> Joe Maimon<jmaimon at chl.com>  writes:
>
>    
>> Robert E. Seastrom wrote:
>>
>>      
>>> And the firewall will default to "no inbound traffic".  Just like your
>>> NAT router.
>>>        
>> In IPv4, SOHO gear defaults to "no inbound traffic" because
>>
>> a) its the right thing to do
>>
>> b) its what the competitors do
>>
>> c) its a byproduct of NAT, which needs to be turned on by default just
>> to provide basic connectivity in the majority of use cases
>>
>> d) It lowers their support costs and lets the device work out of the box
>>
>> In IPv6 without NAT66, only A is a given.
>>      
> Disagree.  The whole point of a SOHO firewall ("does what it says on
> the box, keeps bad packets out, makes your network smell minty fresh")
> guarantees "B" and business case and call center records will dictate
> "D" even if they get it wrong out of the gate (unlikely).
>    
I dont believe we are discussing the same equipment.

Set aside gear that specifically markets itself as a security device. I 
expect those will continue to be secure out of the box. All other 
residential and SOHO access gear may not.

SPI has costs. SPI with default deny has additional costs.

In IPv4, these costs are inflicted by the required NAT44 feature, so SPI 
default deny has no additional cost. Not so in IPv6, with NAT66 not a 
popular access option, if even ever available at all.

> I'm quite willing to listen to countering points of view though -
> could you please explain why the market forces that push b and d will
> not be present in IPv6 but would somehow be present if only we added
> NAT66 to the equation?
>
> -r
>
>
>    

I am trying to counter the assumption that the majority of interaction 
not required devices will continue to deny inbound traffic out of the 
box with a full blown SPI firewall turned on, with hole punching and 
other resultant required ALG's and end user conveniences developed, 
enabled, tuned, tweaked and supported.

I believe that the major factor for default deny being ubiquitous is due 
to NAT44 being similarly ubiquitous.

Why would support costs be lower for consumer routers with SPI default 
deny than for routers without?

Most hosts already have adequate host based protection available, there 
is no reason to expect low cost device makers to continue duplicating 
the effort for little cause.

I support the notion that NAT66 should be available for those who want 
it without vilification and demonization. I dont support it as a 
sanctioned solution to any problem better global address management can 
solve instead. I dont believe anything we do here will have any real 
effect on NAT66 availability or whether these devices will continue to 
have default deny.


Joe