On 2010-03-22 10:28, Mark Townsley wrote:
On 3/21/10 9:29 PM, james woodyatt wrote:
On Mar 21, 2010, at 12:18, Mark Townsley<townsley@cisco.com> wrote:
On 3/21/10 6:29 PM, Brian E Carpenter wrote:
So, I'm wondering what's really wrong with:
REC-41 Gateways MUST provide an easily selected configuration option
that permits operation in a mode that forwards all unsolicited
flows regardless of forwarding direction.
The problem is the default, which is not to permit this.
That problem is inherited from RFC 4864, which this draft is not
intended to reverse.
Why not, if that is the current consensus? We've reversed the text of
IETF standards track documents before, much less Informational documents
that are not a standard of any kind.
As a co-author of 4864, let me agree violently. It's not a BCP.
Even if it was, consensus could reverse it.
What 4864 says is: NATs weren't designed as security devices but they
provide simple security by blocking everything incoming by default.
To implement simple security for v6 you should do it with a stateful
firewall.
It doesn't say that CPEs MUST do this. It leaves that choice open, as
an informational document.
Brian