Requirements for IPv6 Firewalls

• Previous message (by thread): Requirements for IPv6 Firewalls
• Next message (by thread): Requirements for IPv6 Firewalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Apr 17, 2014 at 09:05:17PM -0500, Timothy Morizot wrote:
> On Apr 17, 2014 7:52 PM, "Matthew Kaufman" <matthew at matthew.at> wrote:
> > While you're at it, the document can explain to admins who have been
> burned, often more than once, by the pain of re-numbering internal services
> at static addresses how IPv6 without NAT will magically solve this problem.
> 
> If you're worried about that issue, either get your own end user
> assignment(s) from ARIN or use ULA internally and employ NAT-PT (prefix
> translation) at the perimeter. That's not even a hard question.

Why use NAT-PT in that instance?  Since IPv6 interfaces are happy running
with multiple addresses, the machines can have their publically-accessable
address and also their ULA address, with internal services binding to (and
referring to, via DNS, et al) the ULA address; when you change providers,
the publically-accessable address changes (whoopee!), but the internal
service address doesn't.

- Matt

• Previous message (by thread): Requirements for IPv6 Firewalls
• Next message (by thread): Requirements for IPv6 Firewalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]