Requirements for IPv6 Firewalls

Matt Palmer mpalmer at
Fri Apr 18 06:57:57 UTC 2014

On Thu, Apr 17, 2014 at 09:05:17PM -0500, Timothy Morizot wrote:
> On Apr 17, 2014 7:52 PM, "Matthew Kaufman" <matthew at> wrote:
> > While you're at it, the document can explain to admins who have been
> burned, often more than once, by the pain of re-numbering internal services
> at static addresses how IPv6 without NAT will magically solve this problem.
> If you're worried about that issue, either get your own end user
> assignment(s) from ARIN or use ULA internally and employ NAT-PT (prefix
> translation) at the perimeter. That's not even a hard question.

Why use NAT-PT in that instance?  Since IPv6 interfaces are happy running
with multiple addresses, the machines can have their publically-accessable
address and also their ULA address, with internal services binding to (and
referring to, via DNS, et al) the ULA address; when you change providers,
the publically-accessable address changes (whoopee!), but the internal
service address doesn't.

- Matt

More information about the NANOG mailing list