Cool IPv6 Stuff

Tue Jun 5 03:53:48 UTC 2007

On Mon, Jun 04, 2007, Donald Stahl wrote:
> >Won't stateful firewalls have similar issues? Ie, if you craft a stateful
> >firewall to allow an office to have real IPv6 addresses but not to allow
> >arbitrary connections in/out (ie, the "stateful" bit), won't said stateful
> >require protocol tracking modules with similar (but not -as-) complexity
> >to the existing NAT modules?

> It's a lot easier to write a firewall module that monitors a SIP 
> connection to allow for bi-directional traffic than it is to monitor for 
> such connections and rewrite the packets.

Yes yes, people have pointed this out already.

> Not to mention- what happens when the SIP traffic (for example) goes out 
> with 1918 addresses in the packets? The firewall never sees the return 
> traffic because the destination system is trying to send traffic to a 
> private address- it gets lost in the ether and troubleshooting becomes a 
> pain. With real addresses in the packets the traffic will at least make it 
> back to the firewall- even if the firewall doesn't know how to handle 
> them. At that point you know what's happening and can either correct the 
> rules, enable a proxy, or yell at your firewall vendor.

And its still not "as simple as tracking connections" stateful firewall.
You still need to stick your grubby fingers into (this example) the SIP
handshake and add in related rules for the RTP session to occur. There's
still similar room for screwing up in the firewall implementation.
There's still similar angst possible with broken stateful protocol tracking.

Anyway, this is the last post from me on this topic. Time's going to tell
whether vendors implement IPv6 NAT; since their featuresets are customer
driven, not nanog@ driven. :)

Adrian