Requirements for IPv6 Firewalls

William Herrin bill at
Fri Apr 18 15:02:45 UTC 2014

On Fri, Apr 18, 2014 at 3:31 AM, Eugeniu Patrascu <eugen at> wrote:
> On Thu, Apr 17, 2014 at 11:45 PM, George Herbert <george.herbert at>
> wrote:
>> You are missing the point.
>> Granted, anyone who is IPv6 aware doing a green-field enterprise firewall
>> design today should probably choose another way than NAT.
> That's why you have gazzilions of IP addresses in IPv6, so you don't need to
> NAT anything (among other things). I don't understand why people cling to
> NAT stuff when you can just route.

Hi Eugeniu,

That's correct: you don't understand. Until you do, just accept: there
are more than a few folks who want to, intend to and will use NAT for
IPv6. They will wait until NAT is available in their preferred
products before making any significant deployment efforts.

The main drivers behind the desire for NAT in IPv6 you've heard
before, but I'll repeat them for the sake of clarity:

1. Easier to manage the network if the IPv4 and IPv6 versions are
identical but for the IP addresses. Would've been even easier if the
IP addresses were identical too, but that ship sailed more than a
decade ago.

2. Risk management - developing a new operating posture for a new
protocol is high risk. Translating the existing posture is lower risk.
In most places the existing posture includes extensive NAT. The number
of IPv4 networks in which no NAT is employed is vanishingly small.

3. Renumbering - works about as well in IPv6 as in IPv4, which is to
say badly. And doubling down on the addresses assigned to hosts is
still half baked -- a worthwhile idea but needs more time in the

4. Defense in depth is a core principle of all security, network and
physical. If you don't practice it, your security is weak. Equipment
which is not externally addressable (due to address-overloaded NAT)
has an additional obstruction an adversary must bypass versus an
identical system where the equipment is externally addressable (1:1
NAT, static port translation and simple routing). This constrains the
kinds of attacks an adversary may employ.

Feel free to refute all four points. No doubt you have arguments you
personally find compelling. Your arguments will fall on deaf ears. At
best the arguments propose theory that runs contrary to decades of
many folks' experience. More likely the arguments are simply wrong.

Either way, you need NAT in the firewall products or you need some
miracle application, the desire for which compels folks to move past
the rationale above. Do you see the latter happening any time soon?
Neither do I.

Bill Herrin

William D. Herrin ................ herrin at  bill at
3005 Crane Dr. ...................... Web: <>
Falls Church, VA 22042-3004

More information about the NANOG mailing list