Consumer Grade - IPV6 Enabled Router Firewalls.

Mark Newton wrote, on 2009-12-11 03:09:
> You kinda do if you're using a stateful firewall with a "deny
> everything that shouldn't be accepted" policy. UPnP (or something
> like it) would have to tell the firewall what should be accepted.

That's putting the firewall at the mercy of viruses, worms, etc. The firewall
shouldn't trust anything else to tell it what is good and bad traffic.

Everyone knows a NAT gateway isn't really a firewall, except more or less
accidentally. There's no good way to provide a hardware firewall in an
average residential environment that is not a disaster waiting to happen.

If you make it "smart" (i.e. UPnP) then it will of course autoconfigure
itself for an appropriate virus.

However, your average home user often doesn't change their $FOOGEAR
password from the default of 1234, and it is reasonable to assume that
at some point, viruses will ship with some minimal knowledge of how to
"manually" fix their networking environment. Or better yet? Runs a
password cracker until it figures it out, since the admin interfaces
on these things are rarely hardened.

If you actually /do/ a really good firewall, then of course users find
it "hard to use" and your company takes a support hit, maybe gets a
bad reputation, etc.

There's no winning.

... JG

Joe Greco wrote, on 2009-12-11 08:36:

Everyone knows a NAT gateway isn't really a firewall, except more or less
accidentally. There's no good way to provide a hardware firewall in an
average residential environment that is not a disaster waiting to happen.

If you make it "smart" (i.e. UPnP) then it will of course autoconfigure
itself for an appropriate virus.

However, your average home user often doesn't change their $FOOGEAR
password from the default of 1234, and it is reasonable to assume that
at some point, viruses will ship with some minimal knowledge of how to
"manually" fix their networking environment. Or better yet? Runs a
password cracker until it figures it out, since the admin interfaces
on these things are rarely hardened.

If you actually /do/ a really good firewall, then of course users find
it "hard to use" and your company takes a support hit, maybe gets a
bad reputation, etc.

There's no winning.

Agreed.

We have thus come to the conclusion that there shouldn't be a NAT-like firewall
in IPv6 home routers.

Thanks,
Simon

No, the conclusion is that for IPv6 there should be something that behaves much like current IPv4 NAT boxes, ie do stateful firewalling and only let internal computers initiate conenctions outgoing, do protocol sniffing for allowing incoming new connections, and use some uPNP like method to do temporary firewall openings.

This is the social contract of the current home gateway ecosystem, and intiially IPv6 devices need to replicate this.

Last I checked, this was the conclusion of multiple IPv6 related IETF working groups, check out "homegate" and "v6ops" WGs for instance.

Once upon a time, Joe Greco <jgreco@ns.sol.net> said:

Everyone knows a NAT gateway isn't really a firewall, except more or less
accidentally. There's no good way to provide a hardware firewall in an
average residential environment that is not a disaster waiting to happen.

I don't think hardware vs. software makes a "real" firewall. A NAT
gateway has to have all the basic functionality of a stateful firewall,
plus packet mangling. Typical home NAT gateways don't have all the
configurability of an SSG or such, but the same basic functionality is
there.

Eh? What does NAT have to do with anything? We already know that IPv6
residential firewalls won't do NAT, so why bring it into this discussion
at all?

Some of us are trying to formulate and offer real-life IPv6 services
to our marketplaces before IPv4 runs out, and the vendors simply
aren't interested in being there to help us out. Pointless distractions
about orthogonal issues that don't matter (e.g., NAT) don't help at
all.

FWIW, I asked Fred Baker about this at the IPv6 Forum meeting in
Australia this week. He'd just handled another question about
the memory requirements required for burgeoning routing table growth
by saying that if routers need extra RAM then routers with extra RAM
will appear on the market, because "if you're prepared to pay money
for it, we'll try to sell it to you."

So I asked, "I'm prepared to pay money for IPv6-capable ADSL2+ CPE.
Are you prepared to sell it to me?" and he said, "Yes, just not with
our firmware."

Which I thought was a bit of a cop-out, given that it was one of our
customers who developed the IPv6 openwrt support in the first place,
with zero support from Fred's employer, after we'd spent two years
hassling them about their lack of action.

... and this is in the same week when, in the context of IPv6, someone
else asked me how many units of their gear we'd ship ("Zero. You don't
have a product with the features we need so we'll use one of your
competitors instead. Lets revisit this when you're prepared to have
a conversation that doesn't include `lack of market demand' as a
reason for not doing it.")

Argh. Disillusionment, much?

  - mark