Requirements for IPv6 Firewalls

Enno Rey erey at
Sat Apr 19 02:58:39 UTC 2014


On Fri, Apr 18, 2014 at 11:59:04AM -0700, Doug Barton wrote:
> On 04/18/2014 12:57 AM, Enno Rey wrote:
> > I fully second Sander's input. I've been involved in IPv6 planning in a number of very large enterprises now and_none_  of them required/asked for (66/overloading) NAT for their firewall environments. A few think about very specific deployments of NPTv6 like stuff for connections to supplier/partner networks (to map those to their own address space) but these are corner cases not even relevant for their "firewalls".
> How many of those networks were implementing with IPv6 PI space?

all of them

> experience has been that those customers are not interested in IPv6 NAT, 
> but instead utilize network segmentation to define "internal" vs. 
> "external."
> OTOH, customers for whom PI space is not realistic (for whatever 
> reasons, and yes there are reasons) are very interested in the 
> combination of ULA + NTPv6 to handle internal resources without having 
> to worry about renumbering down the road.

true. it's just we don't see many of those (actually I've yet to encounter a single one) and it could be debatable if they belong to "Enterprise" networks (which is in the title of the ID).



> Doug

Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg -
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

Blog: || Conference:
Twitter: @Enno_Insinuator

More information about the NANOG mailing list