<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>As I recall from previous discussion here and on other lists...<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>One of the barriers to widespread deployment of IPv6 is fear about security. People have come to rely on their IPv4 NAT as a form of inbound packet filter. So moving forward, it seems only natural that (for people who agree with this policy) a lot of IPv6 firewalls will need to be configured to block all inbound IPv6 traffic and permit all outbound. Unfortunately, this defeats the main value-add of IPv6, which is peer-to-peer.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>So logically, it seems natural, a lot of IPv6 firewalls will need to support things like NAT-PMP, or IGD, so the internal devices can automatically configure inbound ports to enable peer-to-peer, whilst maintaining a reasonably secure perimeter firewall. This allows you to block all unsolicited inbound traffic, but allow clients to communicate with solicited peers for firewall traversal. (And at some point, it seems natural that some authentication scheme will be necessary, so only specific applications and/or specific machines will be able to use that functionality, etc.)<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Now the question I have is ... Neither NAT-PMP, nor IGD seem to support IPv6. So what up?<o:p></o:p></p></div></body></html>