nanog mailing list archives
Re: Requirements for IPv6 Firewalls
From: Seth Mos <seth.mos () dds nl>
Date: Fri, 18 Apr 2014 09:15:59 +0200
On 18-4-2014 8:57, Matt Palmer wrote:
On Thu, Apr 17, 2014 at 09:05:17PM -0500, Timothy Morizot wrote:On Apr 17, 2014 7:52 PM, "Matthew Kaufman" <matthew () matthew at> wrote:While you're at it, the document can explain to admins who have beenburned, often more than once, by the pain of re-numbering internal services at static addresses how IPv6 without NAT will magically solve this problem. If you're worried about that issue, either get your own end user assignment(s) from ARIN or use ULA internally and employ NAT-PT (prefix translation) at the perimeter. That's not even a hard question.Why use NAT-PT in that instance? Since IPv6 interfaces are happy running with multiple addresses, the machines can have their publically-accessable address and also their ULA address, with internal services binding to (and referring to, via DNS, et al) the ULA address; when you change providers, the publically-accessable address changes (whoopee!), but the internal service address doesn't.
Sounds good in theory, I tried it but it got ugly really fast. Before you know it you have a layers of obfuscation, and even more work to get it to work right. That's really not a good argument for the general IPv6 case. Then there's the issue of making not just hosts do address selection but bringing that down to making applications choose address selection. As a admin I really don't want to go there. I just want a central point where I can pass, block or redirect. Just keep it as simple as possible, but not simpler. A host with a IPv4 and GLA IPv6 address is as complicated as you want it. The only case I see for NPt is for cheap multi wan where you have the primary prefix on your "LAN" and perform NPt for that prefix when it goes out the "3G" stick. Note that you would still need the same (delegated) prefix size on both connections (e.g. /64, /56 or /48) What is also nice is that in the case of NPt the firewall rules for both "WAN" and "3G" can be the same as the destination address (after performing NPt) is still the same. "Manageable". Kind regards, Seth
Current thread:
- Re: Requirements for IPv6 Firewalls, (continued)
- Re: Requirements for IPv6 Firewalls Sander Steffann (Apr 17)
- Re: Requirements for IPv6 Firewalls Brandon Ross (Apr 17)
- Re: Requirements for IPv6 Firewalls Matthew Kaufman (Apr 17)
- Re: Requirements for IPv6 Firewalls Timothy Morizot (Apr 17)
- Thank you Comcast Michael T. Voity (Apr 17)
- Re: Thank you Comcast Mehmet Akcin (Apr 17)
- Re: Thank you Comcast Doug Barton (Apr 17)
- Re: Requirements for IPv6 Firewalls Brandon Ross (Apr 17)
- Re: Requirements for IPv6 Firewalls Matthew Kaufman (Apr 17)
- Re: Requirements for IPv6 Firewalls Matt Palmer (Apr 18)
- Re: Requirements for IPv6 Firewalls Seth Mos (Apr 18)
- Re: Requirements for IPv6 Firewalls Enno Rey (Apr 18)
- Re: Requirements for IPv6 Firewalls Sander Steffann (Apr 17)
- Re: Requirements for IPv6 Firewalls Nick Hilliard (Apr 18)
- Re: Requirements for IPv6 Firewalls Lee Howard (Apr 18)
- Re: Requirements for IPv6 Firewalls Fernando Gont (Apr 21)
- Re: Requirements for IPv6 Firewalls Brandon Ross (Apr 21)
- Re: Requirements for IPv6 Firewalls Enno Rey (Apr 18)
- Re: Requirements for IPv6 Firewalls Doug Barton (Apr 18)
- Re: Requirements for IPv6 Firewalls Enno Rey (Apr 18)
- Re: Requirements for IPv6 Firewalls Doug Barton (Apr 19)