All,
I wish I could be in two places at once. This email will have to suffice.
A final plea before the IETF meeting slots begin.
I think that most of us on this list would agree with, at the very least,
the ideal of end-to-end transparency with IP. Many of us are also realists;
Realists that lived through the era of the IETF saying no to IPv4 NAT. Some
of us may worry that we are part of a minority that will be overwhelmed by
market forces demanding an IPv6 firewall function, even if we would rather
not see them widely deployed.
Never fear, the market force behind an IPv6 firewall is no where near that
of the IPv4 NAT. The benefit simply isn't anywhere near as tangible for the
average user. The real sales pitch for IPv4 NAT was letting your home have
multiple internet-connected PCs for the price of one. This benefit was
pitted against end-to-end transparency, and the advantages of the NAT won.
It is still unclear to me whether the purported advantages of an IPv6
firewall would outweigh the costs in terms of complexity and transparency,
even by the mass residential market. I say this partly because of all of the
comments saying that vendors, SDOs, and SPs are looking to the IETF on what
to do here. This is an indication that the market has not yet spoken on
this, otherwise no one would really care what recommendation we made.
It has been a long road, but it is too early to lose our ideals entirely
here. Let's not publish a document that recommends, by default, breaking
end-to-end transparency. If the market proves us wrong, know that we are not
making the same fatal mistake as we did with IPv4 NAT as we are still
defining how to create an IPv6 firewall if one so chooses.
Given that the current largest residential IPv6 deployment has no firewall
in its CPE, and I have heard others say (on this list and elsewhere) that
they would much rather not have to develop, deploy, and manage a firewalled
connection, we have a real chance here to let the IPv6 Internet grow up
without this additional complexity. I could be completely wrong, and the
firewalls may certainly go ahead and ship on by default anyway. If so, what
will we have lost? Nothing really, as the functionality of the firewall will
still be there to be implemented against in a relatively consistent manner.
However, at least it will not have been the IETF that shot its own
principles down in the process.
Let's err on the side of our ideals here. Publish
draft-ietf-v6ops-cpe-simple-security, but do so without default-deny rules
on by default. Let's not break end-to-end IPv6 before it even has a chance
to grow up.