Requirements for IPv6 Firewalls

Jimmy Hess mysidia at
Sat Apr 19 04:16:56 UTC 2014

On Fri, Apr 18, 2014 at 10:02 AM, William Herrin <bill at> wrote:

It would appear point (5)  in favor of NAT with IPv6 is the only point
that has any merit there.   (1) to (4) are just rationalizations.
None of (1) to (4) are the reasons IPv4 got NAT, none are valid, and
none are good reasons to bring NAT to IPv6  or use NAT in designs of
IPv6 networks.

You could also add as good reasons..   (6) Requirement for NAT based
on personal preference,  and...

(7) "You don't need this NAT function anymore,"  is not a good reason
to 'withhold the feature as a design and implementation option'.  --
"IPv6 is clearly not as mature as IPv4, when my IPv4 router has
greater flexibility in translation options"

(1) to (4) are just excuses for people who want NAT to not admit the
real reasons which are illogical,  BUT  still important.

 (5) is quite valid.   Also, you  cannot fight it.   When you have
customers  that demand NAT, even though there is absolutely no sound
reason for NAT anymore.     The users will still buy whatever gives
them the feature they deemed important,  based on their experience
with IPv4.

The fact of the matter is,  the demand has irrational sources
contributing:  comfort and change-aversity  and loss-aversity.

People want to keep and not lose their IPv4 or their IPv4 features.
They expect to cherrypick IPv6's advantages   and not lose any
functionality from V4 or have any extra work to do,  or re-thinking of
their understanding of IP networking to be doing.

So if you are building IPv6 firewall SW,  you should definitely
include any NAT functionality  you believe that many of your potential
customers will demand.

The fact is...  as a product vendor to move the maximal number of
people to the IPv6 paradigm: you are still going to have to cater to
people with IPv4-like thinking.

Therefore...  I fully expect all the NAT features of IPv4  to have an
IPv6 equivalent appearing.

> 1. Easier to manage the network if the IPv4 and IPv6 versions are [...]
> 2. Risk management - developing a new operating posture for a new [...]
> 3. Renumbering - works about as well in IPv6 as in IPv4, which is to [...]
> 4. Defense in depth is a core principle of all security, network and [...]
> Feel free to refute all four points. No doubt you have arguments you
> personally find compelling. Your arguments will fall on deaf ears. At
> best the arguments propose theory that runs contrary to decades of
> many folks' experience. More likely the arguments are simply wrong.


More information about the NANOG mailing list