nanog mailing list archives
Re: IPv6 NAT
From: Michael.Dillon () radianz com
Date: Thu, 30 Oct 2003 15:22:56 +0000
NAT also has the advantage that if packets do leak bogon filters at the border will drop them.
NAT is simply an algorithm which causes a firewall to drop all traffic which doesn't match an entry in a set of internal state tables. The NAT algorithm sets up these state tables based on outgoing traffic and based on specific operator configurations, i.e. static NAT mappings. This algorithm can be implemented in a trivial piece of software that runs on cheap, low-power devices commonly used in things like DSL routers. The IPv6 folks are claiming that you can very easily implement the same type of algorithm on IPv6 routers to drop all traffic which doesn't match an entry in a set of internal state tables. The IPv6 algorithm would set up these state tables based on outgoing traffic and based on specific operator configurations, i.e. static enabled addresses. The only difference is that the IPv6 device never changes the packet contents, i.e. never replaces source or destination addresses in the headers. The IPv6 version can still drop traffic and can still dynamically enable certain incoming traffic based upon detection of an outgoing TCP session starting up. It could even do port redirection if that was still useful to people. It could also allow operator configuration to enable incoming traffic to specific addresses. The IPv6 version would be just as secure as an IPv4 NAT device but it would not interfere with protocol functioning. Now, I'm not claiming that every device capable of IPv4 NAT is currently able to function in this way, but there are no technical barriers to prevent manufacturers from making IPv6 devices that function in this way. The IPv6 vendor marketing folks can even invent terms like NAT (Network Authority Technology) to describe this simple IPv6 firewall function, i.e. IPv6 NAT. It wouldn't be the first time that acronyms have been reinvented, e.g. RED, GSM. --Michael Dillon
Current thread:
- Re: IPv6 NAT Michael . Dillon (Oct 30)
- Re: IPv6 NAT Owen DeLong (Oct 30)
- Re: IPv6 NAT Stephen Sprunk (Oct 30)
- Re: IPv6 NAT Scott McGrath (Oct 31)
- RE: IPv6 NAT Tony Hain (Oct 31)
- Re: IPv6 NAT Scott McGrath (Oct 31)
- <Possible follow-ups>
- RE: IPv6 NAT Kuhtz, Christian (Oct 30)
- RE: IPv6 NAT Tony Hain (Oct 30)
- Re: IPv6 NAT Stephen Sprunk (Oct 31)
- Re: IPv6 NAT Owen DeLong (Oct 31)
- Re: IPv6 NAT Patrick W. Gilmore (Oct 31)
- Re: IPv6 NAT Joe Abley (Oct 31)
- RE: IPv6 NAT Tony Hain (Oct 30)