IPv6 NAT

• Previous message (by thread): IPv6 NAT
• Next message (by thread): IPv6 NAT
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In fact, Michael, there is no reason someone can't do everything you
describe with IPv4 if they are using unique address space.

Owen


--On Thursday, October 30, 2003 3:22 PM +0000 Michael.Dillon at radianz.com 
wrote:

>
>> NAT also has the advantage that if packets do leak
>> bogon filters at the border will drop them.
>
> NAT is simply an algorithm which causes a firewall to
> drop all traffic which doesn't match an entry in a
> set of internal state tables. The NAT algorithm sets
> up these state tables based on outgoing traffic and
> based on specific operator configurations, i.e. static
> NAT mappings.
>
> This algorithm can be implemented in a trivial piece
> of software that runs on cheap, low-power devices
> commonly used in things like DSL routers.
>
> The IPv6 folks are claiming that you can very easily
> implement the same type of algorithm on IPv6 routers to
> drop all traffic which doesn't match an entry in a
> set of internal state tables. The IPv6 algorithm would set
> up these state tables based on outgoing traffic and
> based on specific operator configurations, i.e. static
> enabled addresses.
>
> The only difference is that the IPv6 device never changes
> the packet contents, i.e. never replaces source or
> destination addresses in the headers. The IPv6 version can
> still drop traffic and can still dynamically enable certain
> incoming traffic based upon detection of an outgoing TCP
> session starting up. It could even do port redirection if
> that was still useful to people. It could also allow operator
> configuration to enable incoming traffic to specific addresses.
> The IPv6 version would be just as secure as an IPv4 NAT device
> but it would not interfere with protocol functioning.
>
> Now, I'm not claiming that every device capable of IPv4 NAT is currently
> able
> to function in this way, but there are no technical barriers to prevent
> manufacturers
> from making IPv6 devices that function in this way. The IPv6 vendor
> marketing
> folks can even invent terms like NAT (Network Authority Technology) to
> describe
> this simple IPv6 firewall function, i.e. IPv6 NAT.
>
> It wouldn't be the first time that acronyms have been reinvented, e.g.
> RED, GSM.
> --Michael Dillon



-- 
If it wasn't signed, it probably didn't come from me.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20031030/3d8852a4/attachment.sig>

• Previous message (by thread): IPv6 NAT
• Next message (by thread): IPv6 NAT
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]