[arin-discuss] Trying to Understand IPV6

Leo Bicknell bicknell at ufp.org
Tue Sep 14 21:10:18 EDT 2010 

In a message written on Tue, Sep 14, 2010 at 08:56:14PM -0400, Joe Maimon wrote:
> SPI costs product development and support. SPI causes state table 
> exhaustion issues for p2p and similar multitude of connections traffic. 
> Port scanning through an SPI isnt any fun, as an example. SPI default 
> deny creates support issues and product perception issues when end users 
> believe or are told that they need to manually tune or turn it off.

I find this whole SPI stuff rather amusing.  Every home box I've
ever seen in the past few years has this feature already in big
print.  For instance, let's look at Netgear's LOWEST end box:

http://www.netgear.com/products/home/wirelessouters/simplesharing/WNR1000.aspx

"Double firewall protection (SPI and NAT firewall)"

SPI is already in nearly all consumer boxes, because some of them
are deployed with public IP's today (yes, some providers do that!),
and in fact it's probably on by default in millions of home gateways
right now with no problems.  If it in fact were a support issue it
wouldn't already be ubiquitous.

Further since the IPv6 code base is new. the choices for the vendors
are SPIv6, or SPIv6 + NATv6.  There is no choice to leave the users
unprotected, and when they have been trumpeting "Double firewall
protection" for years in IPv4 they aren't going to do NAT6 only.
So in fact SPIv6 only and leaving out NATv6 _reduces_ cost, and
support complexity by only having to do one thing rather than two.

Folks speak as if residential users have never been deployed with
"real" IP's.  While it is not the dominate configuration, a number
of large regional ISP's deploy residential users with static /29's
or simlilar configs.  There are millions of users today on public
space, protected by SPI firewalls.  It's really not a problem, and
in many ways good.

-- 
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-discuss/attachments/20100914/6cfcca04/attachment.sig>

More information about the ARIN-discuss mailing list