Requirements for IPv6 Firewalls
erey at ernw.de
Sat Apr 19 02:58:39 UTC 2014
On Fri, Apr 18, 2014 at 11:59:04AM -0700, Doug Barton wrote:
> On 04/18/2014 12:57 AM, Enno Rey wrote:
> > I fully second Sander's input. I've been involved in IPv6 planning in a number of very large enterprises now and_none_ of them required/asked for (66/overloading) NAT for their firewall environments. A few think about very specific deployments of NPTv6 like stuff for connections to supplier/partner networks (to map those to their own address space) but these are corner cases not even relevant for their "firewalls".
> How many of those networks were implementing with IPv6 PI space?
all of them
> experience has been that those customers are not interested in IPv6 NAT,
> but instead utilize network segmentation to define "internal" vs.
> OTOH, customers for whom PI space is not realistic (for whatever
> reasons, and yes there are reasons) are very interested in the
> combination of ULA + NTPv6 to handle internal resources without having
> to worry about renumbering down the road.
true. it's just we don't see many of those (actually I've yet to encounter a single one) and it could be debatable if they belong to "Enterprise" networks (which is in the title of the ID).
ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey
Blog: www.insinuator.net || Conference: www.troopers.de
More information about the NANOG