Cool IPv6 Stuff

Adrian Chadd adrian at creative.net.au
Tue Jun 5 02:29:43 UTC 2007


On Mon, Jun 04, 2007, Iljitsch van Beijnum wrote:
> 
> On 4-jun-2007, at 17:37, Donald Stahl wrote:
> 
> >>I want NAT to die but I think it won't.
> 
> >Far too many "security" folks are dictating actual implementation  
> >details and that's fundamentally wrong.
> 
> >A security policy should read "no external access to the network"  
> >and it should be up to the network/firewall folks to determine how  
> >best to make that happen. Unfortunately many security policies go  
> >so far as to explicitly require NAT.
> 
> Don't forget that the reason NAT works to the degree that it does  
> today is because of all the workarounds in applications or protocol- 
> specific workarounds in the NATs (ALGs). In IPv6, you don't have any  
> of this stuff, so IPv6 NAT gets you nowhere fast with any protocol  
> that does more than something HTTP-like. (Yes, I've tried it.)

Won't stateful firewalls have similar issues? Ie, if you craft a stateful
firewall to allow an office to have real IPv6 addresses but not to allow
arbitrary connections in/out (ie, the "stateful" bit), won't said stateful
require protocol tracking modules with similar (but not -as-) complexity
to the existing NAT modules?




Adrian




More information about the NANOG mailing list