[arin-discuss] Trying to Understand IPV6
Robert E. Seastrom wrote:
> Joe Maimon<jmaimon at chl.com> writes:
>> Robert E. Seastrom wrote:
>>> And the firewall will default to "no inbound traffic". Just like your
>>> NAT router.
>> In IPv4, SOHO gear defaults to "no inbound traffic" because
>> a) its the right thing to do
>> b) its what the competitors do
>> c) its a byproduct of NAT, which needs to be turned on by default just
>> to provide basic connectivity in the majority of use cases
>> d) It lowers their support costs and lets the device work out of the box
>> In IPv6 without NAT66, only A is a given.
> Disagree. The whole point of a SOHO firewall ("does what it says on
> the box, keeps bad packets out, makes your network smell minty fresh")
> guarantees "B" and business case and call center records will dictate
> "D" even if they get it wrong out of the gate (unlikely).
I dont believe we are discussing the same equipment.
Set aside gear that specifically markets itself as a security device. I
expect those will continue to be secure out of the box. All other
residential and SOHO access gear may not.
SPI has costs. SPI with default deny has additional costs.
In IPv4, these costs are inflicted by the required NAT44 feature, so SPI
default deny has no additional cost. Not so in IPv6, with NAT66 not a
popular access option, if even ever available at all.
> I'm quite willing to listen to countering points of view though -
> could you please explain why the market forces that push b and d will
> not be present in IPv6 but would somehow be present if only we added
> NAT66 to the equation?
I am trying to counter the assumption that the majority of interaction
not required devices will continue to deny inbound traffic out of the
box with a full blown SPI firewall turned on, with hole punching and
other resultant required ALG's and end user conveniences developed,
enabled, tuned, tweaked and supported.
I believe that the major factor for default deny being ubiquitous is due
to NAT44 being similarly ubiquitous.
Why would support costs be lower for consumer routers with SPI default
deny than for routers without?
Most hosts already have adequate host based protection available, there
is no reason to expect low cost device makers to continue duplicating
the effort for little cause.
I support the notion that NAT66 should be available for those who want
it without vilification and demonization. I dont support it as a
sanctioned solution to any problem better global address management can
solve instead. I dont believe anything we do here will have any real
effect on NAT66 availability or whether these devices will continue to
have default deny.