Pointer for documentation on actually delivering IPv6

Joe Greco jgreco at ns.sol.net
Mon Dec 6 16:08:16 UTC 2010


> First, let's clarify things a bit. I don't think unintended routing is =
> what concerns your IT guys. Afterall, even with the NAT
> box today, there's routing from the outside to the inside. It's just =
> controlled by stateful inspection.

It might be better stated differently.

With NAT, routing from the outside to the inside is controlled by
stateful inspection and also by internal policy.  In what we usually
mean as IPv4 NAT in today's usage, there is not supposed to be a way
for an outside attacker to target a particular inside destination,
even if its address were known.  1918 space isn't globally routed
and the "real" external IP address is the only thing your firewall
has to go on; internal policy controls what happens to unsolicited
traffic.

With IPv6 and a stateful firewall, an outside attacker gains the
ability to address devices within your network, even if he is unable
to actually cause packets to arrive at that target thanks to your
firewall.

There's a fundamental difference here that scares some people.  They
fear an inadvertent dropping of their stateful firewall ruleset, for
example, or maybe even bypassing of the firewall through misconfig or
other perils at the network level.

You won't make much progress on these fears because there's genuinely
something to them.  What we really need are killer IPv6 apps that
can't easily be NAT'd.  :-)

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.




More information about the NANOG mailing list