Consumer Grade - IPV6 Enabled Router Firewalls.

Roger Marquis marquis at roble.com
Fri Dec 11 23:45:15 CST 2009


Joe Greco wrote:
> Everyone knows a NAT gateway isn't really a firewall, except more or less
> accidentally.  There's no good way to provide a hardware firewall in an
> average residential environment that is not a disaster waiting to happen.

Gotta love it.  A proven technology, successfully implemented on millions
of residential firewalls "isn't really a firewall, but rather "a disaster
waiting to happen".  Make you wonder what disaster and when exactly it's
going to happen?

Simon Perreault wrote:
> We have thus come to the conclusion that there shouldn't be a
> NAT-like firewall in IPv6 home routers.

And that, in a nutshell, is why IPv6 is not going to become widely
feasible any time soon.

Whether or not there should be NAT in IPv6 is a purely rhetorical
argument.  The markets have spoken, and they demand NAT.

Is there a natophobe in the house who thinks there shouldn't be stateful
inspection in IPv6?  If not then could you explain what overhead NAT
requires that stateful inspection hasn't already taken care of?

Far from the issue some try to make it out to be, NAT is really just a
component of stateful inspection.  If you're going to implement
statefulness there is no technical downside to implementing NAT as well.
No downside, plenty of upsides, no brainer...

Roger Marquis




More information about the NANOG mailing list