RFC 1597/Firewalls

Yeah, there are 2^32 bits of address space, after all.

There are? I always thought there were 32 bits of address space, not 2^32,
and the code that I wrote even worked... :slight_smile:

I was just following the trend for IP address sizes? Sigh. Never
send mail to public lists when suffering from near terminal jetlag.

Now, I won't dispute that there will be some places where either because of
legacy systems in house or paranoia they continue to run a firewall. But the
95% solution will be in place, and if they previously chose to use 1597-style
addresses, the 95% of the world who decided they didn't need firewalls
anymore because of strong authentication will be forced to renumber.

Ummm. Do you really think IPv4 will have enough security backfitted
onto it to make 95% of the firewalls unnecessary? And before either
IPv4 runout or IPv6 transition? And if so, would you stake your
career (as a corporate security geek) on it?

I am more than willing to admit that 1597 has its uses, and people who find
rfcs 1597 and 1627 on their own, read them, and figure out whether they want
to bear the risks and consequences should feel free to use the addresses.


That *doesn't* mean, however, that it should be promoted or upgraded from
"informational" to "recommended",

I don't think anyone is considering doing this.

The concept of globally unique addressing is simply far too powerful and far
too useful for us to summarily and without further thought assert that
firewalls are a fact of life that will be with us forever.

Firewalls act as a single point of entry and exit that can be secured
for many reasons, not all having to do with protecting an internal
network from the unpleasantries of networking life. One possible use
would be to reduce the number of networks you have to have routed,
which (depending on who your ISP is) could save significant amounts of
money. Further, telling corporate security geeks to "not worry, this
IPv* stack is secure" will most likely not be too effective,
especially when people can turn the security off on their workstation
(or will the IPv* stacks be unconfigurable?).

In any event, to bring this more into NANOG (contrary to my previous
assertion, my boss is insisting I go to the NANOG meeting), I was
wondering if people felt a small 'discussion' regarding the RFC
1597/1627 swamp would be appropriate during the "CIDR/Aggregation/
Allocation Policies" discussion on Thursday? I'd be interested in
hearing operators feelings regarding this issue, particularly since
the IAB feels 1597 needs to be revised.