Requirements for IPv6 Firewalls
mysidia at gmail.com
Sat Apr 19 04:16:56 UTC 2014
On Fri, Apr 18, 2014 at 10:02 AM, William Herrin <bill at herrin.us> wrote:
It would appear point (5) in favor of NAT with IPv6 is the only point
that has any merit there. (1) to (4) are just rationalizations.
None of (1) to (4) are the reasons IPv4 got NAT, none are valid, and
none are good reasons to bring NAT to IPv6 or use NAT in designs of
You could also add as good reasons.. (6) Requirement for NAT based
on personal preference, and...
(7) "You don't need this NAT function anymore," is not a good reason
to 'withhold the feature as a design and implementation option'. --
"IPv6 is clearly not as mature as IPv4, when my IPv4 router has
greater flexibility in translation options"
(1) to (4) are just excuses for people who want NAT to not admit the
real reasons which are illogical, BUT still important.
(5) is quite valid. Also, you cannot fight it. When you have
customers that demand NAT, even though there is absolutely no sound
reason for NAT anymore. The users will still buy whatever gives
them the feature they deemed important, based on their experience
The fact of the matter is, the demand has irrational sources
contributing: comfort and change-aversity and loss-aversity.
People want to keep and not lose their IPv4 or their IPv4 features.
They expect to cherrypick IPv6's advantages and not lose any
functionality from V4 or have any extra work to do, or re-thinking of
their understanding of IP networking to be doing.
So if you are building IPv6 firewall SW, you should definitely
include any NAT functionality you believe that many of your potential
customers will demand.
The fact is... as a product vendor to move the maximal number of
people to the IPv6 paradigm: you are still going to have to cater to
people with IPv4-like thinking.
Therefore... I fully expect all the NAT features of IPv4 to have an
IPv6 equivalent appearing.
> 1. Easier to manage the network if the IPv4 and IPv6 versions are [...]
> 2. Risk management - developing a new operating posture for a new [...]
> 3. Renumbering - works about as well in IPv6 as in IPv4, which is to [...]
> 4. Defense in depth is a core principle of all security, network and [...]
> Feel free to refute all four points. No doubt you have arguments you
> personally find compelling. Your arguments will fall on deaf ears. At
> best the arguments propose theory that runs contrary to decades of
> many folks' experience. More likely the arguments are simply wrong.
More information about the NANOG