Requirements for IPv6 Firewalls

William Herrin bill at
Fri Apr 18 23:06:53 UTC 2014

On Fri, Apr 18, 2014 at 6:19 PM, Eugeniu Patrascu <eugen at> wrote:
> On Fri, Apr 18, 2014 at 6:02 PM, William Herrin <bill at> wrote:
>> 4. Defense in depth is a core principle of all security, network and
>> physical. If you don't practice it, your security is weak. Equipment
>> which is not externally addressable (due to address-overloaded NAT)
>> has an additional obstruction an adversary must bypass versus an
>> identical system where the equipment is externally addressable (1:1
>> NAT, static port translation and simple routing). This constrains the
>> kinds of attacks an adversary may employ.
> Let's make it simple:
> Scenario (A) w/ IPv4
> [Internet] -> Firewall Public IP :80/TCP -> DNAT to Internal IP Address
> :80/TCP
> Scenario (B) w/ IPv6
> [Internet] -> FIrewall -> Host w/ Routable IP Address :80/TCP
> In scenario (A) I hide a server behind a firewall and to a simple
> destination NAT (most common setup found in all companies).
> In scenario (B) I have a firewall rule that only allows port 80 to a machine
> in my network.
> Explain to me how from a security standpoint Scenario (A) is better than
> scenario (B).

So your question is: how does one variant of being externally
addressable (simple routing with a packet filter or perhaps a stateful
firewall) differ from another variant of being externally addressable
(static inbound port translation)? Hell man, I don't like seeing these
in IPv4 let alone IPv6. But when I'm asking a guy to make a much
bigger leap of faith, like implementing IPv6, I don't plan to distract
him with the fact that he's taken NAT=good from the situation where
it's probably true and applied it to a situation where its value is
more dubious.

> Defense in depth, to my knowledge - and feel free to correct me, is to have
> defenses at every point in the network and at the host level to protect
> against different attack vectors that are possible at those point.

And a heart attack is that you clutch your chest and fall over dead.
You describe what defense in depth looks like, not what it is.

Defense in depth is that you have a fence and a security guard and a
spotlight. And a locked door, an alarm system and a safe too. But you
don't just have the fence, the door and the safe, a single form of
protection at each point. That would be a shallow defense.

Bill Herrin

William D. Herrin ................ herrin at  bill at
3005 Crane Dr. ...................... Web: <>
Falls Church, VA 22042-3004

More information about the NANOG mailing list