[arin-discuss] Trying to Understand IPV6
Joe Maimon
jmaimon at chl.com
Wed Sep 15 01:05:44 EDT 2010
Leo Bicknell wrote:
> In a message written on Tue, Sep 14, 2010 at 08:56:14PM -0400, Joe Maimon wrote:
>
>> SPI costs product development and support. SPI causes state table
>> exhaustion issues for p2p and similar multitude of connections traffic.
>> Port scanning through an SPI isnt any fun, as an example. SPI default
>> deny creates support issues and product perception issues when end users
>> believe or are told that they need to manually tune or turn it off.
>>
> I find this whole SPI stuff rather amusing. Every home box I've
> ever seen in the past few years has this feature already in big
> print. For instance, let's look at Netgear's LOWEST end box:
>
> http://www.netgear.com/products/home/wirelessouters/simplesharing/WNR1000.aspx
>
> "Double firewall protection (SPI and NAT firewall)"
>
> SPI is already in nearly all consumer boxes, because some of them
> are deployed with public IP's today (yes, some providers do that!),
> and in fact it's probably on by default in millions of home gateways
> right now with no problems. If it in fact were a support issue it
> wouldn't already be ubiquitous.
>
> Further since the IPv6 code base is new. the choices for the vendors
> are SPIv6, or SPIv6 + NATv6. There is no choice to leave the users
> unprotected, and when they have been trumpeting "Double firewall
> protection" for years in IPv4 they aren't going to do NAT6 only.
> So in fact SPIv6 only and leaving out NATv6 _reduces_ cost, and
> support complexity by only having to do one thing rather than two.
>
> Folks speak as if residential users have never been deployed with
> "real" IP's. While it is not the dominate configuration, a number
> of large regional ISP's deploy residential users with static /29's
> or simlilar configs. There are millions of users today on public
> space, protected by SPI firewalls. It's really not a problem, and
> in many ways good.
>
>
SPI's are in many ways good. Do they owe their ubiquity to NAT44 and how
will the lack of NAT66 affect that? I think it is much too early to tell.
Joe
More information about the ARIN-discuss
mailing list