nanog mailing list archives
Re: Cool IPv6 Stuff
From: Donald Stahl <don () calis blacksun org>
Date: Mon, 4 Jun 2007 23:36:52 -0400 (EDT)
It's a lot easier to write a firewall module that monitors a SIP connection to allow for bi-directional traffic than it is to monitor for such connections and rewrite the packets.Won't stateful firewalls have similar issues? Ie, if you craft a stateful firewall to allow an office to have real IPv6 addresses but not to allow arbitrary connections in/out (ie, the "stateful" bit), won't said stateful require protocol tracking modules with similar (but not -as-) complexity to the existing NAT modules?
Not to mention- what happens when the SIP traffic (for example) goes out with 1918 addresses in the packets? The firewall never sees the return traffic because the destination system is trying to send traffic to a private address- it gets lost in the ether and troubleshooting becomes a pain. With real addresses in the packets the traffic will at least make it back to the firewall- even if the firewall doesn't know how to handle them. At that point you know what's happening and can either correct the rules, enable a proxy, or yell at your firewall vendor.
-Don
Current thread:
- Cool IPv6 Stuff Jeroen Massar (Jun 01)
- Message not available
- Re: Cool IPv6 Stuff Jeroen Massar (Jun 01)
- Message not available
- Re: Cool IPv6 Stuff Jared Mauch (Jun 03)
- Re: Cool IPv6 Stuff Sam Stickland (Jun 04)
- Re: Cool IPv6 Stuff Adrian Chadd (Jun 04)
- Message not available
- Re: Cool IPv6 Stuff Sam Stickland (Jun 04)
- Re: Cool IPv6 Stuff Donald Stahl (Jun 04)
- Re: Cool IPv6 Stuff Iljitsch van Beijnum (Jun 04)
- Re: Cool IPv6 Stuff Adrian Chadd (Jun 04)
- Re: Cool IPv6 Stuff Donald Stahl (Jun 04)
- Re: Cool IPv6 Stuff Adrian Chadd (Jun 04)
- Re: Cool IPv6 Stuff Iljitsch van Beijnum (Jun 06)
- Re: Cool IPv6 Stuff Sam Stickland (Jun 04)
- Re: Cool IPv6 Stuff Joel Jaeggli (Jun 04)
- Re: Cool IPv6 Stuff Owen DeLong (Jun 04)
- Security gain from NAT (was: Re: Cool IPv6 Stuff) Jim Shankland (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Joe Abley (Jun 04)
- Re: Security gain from NAT Sam Stickland (Jun 04)
- RE: Security gain from NAT Howard C. Berkowitz (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Owen DeLong (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Colm MacCarthaigh (Jun 04)