Firewall Wizards mailing list archives
Re: ***SPAM*** Re: IPv6 support in firewalls
From: "Patrick M. Hausen" <hausen () punkt de>
Date: Mon, 27 Aug 2007 09:30:45 +0200
Hi, all, On Thu, Aug 23, 2007 at 05:06:55PM -0400, Dave Piscitello wrote:
I'm sorry, but you are not using the term end-to-end in the correct context.
Understood and agreed, but ... ;-)
Almost any firewalled configuration uses IP masquerading and that's hugely important. Do you really think it's better to assign public address space behind firewalls? Do you really want everyone to know every IP address block your organization uses internally by querying an RIR?
Yes, I think "official" registered address space for every single node, PC, mobile phone, fridge, coffee machine, ... _is_ the ultimate goal and one of the major reasons to deploy IPv6. First you should not rely on NAT as a security measure, anyway, because it isn't. Second, one can just as well deploy a proxy with registered address space on both sides. I'm doing it in my datacenter to protect web and database servers. There's nothing gained by putting the "visible" address on the proxy and the web server on net 10. Besides added complexity and worse logging capabilities. Modern proxy firewalls with transparency appear like a router to the protected hosts, so why not use them that way and disable NAT? Third, this is the _only_ way to get rid of the "net 10 considered harmful" nightmare that pops up over and over again when two enterprises want to connect their internal nets in some way. For example SAP already hands /29 subnets of their own RIPE assigned IPv4 address space to their customers to build DMZs for remote support/VPN access, precisely for this reason.
These combined are reasons to implement IPv4 forever:-)
IMHO theses are the combined reasons to start over and kill NAT forever. Kind regards, Patrick M. Hausen -- punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 info () punkt de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: IPv6 support in firewalls, (continued)
- Re: IPv6 support in firewalls Mohit Sharma (Aug 23)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 23)
- Re: IPv6 support in firewalls Darren Reed (Aug 22)
- Message not available
- Re: IPv6 support in firewalls Darren Reed (Aug 23)
- Re: IPv6 support in firewalls Shahin Ansari (Aug 23)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 23)
- ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 23)
- Re: IPv6 support in firewalls Patrick M. Hausen (Aug 23)
- ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 23)
- Re: ***SPAM*** Re: IPv6 support in firewalls ArkanoiD (Aug 24)
- Re: ***SPAM*** Re: IPv6 support in firewalls Patrick M. Hausen (Aug 27)
- Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
- Re: IPv6 support in firewalls ArkanoiD (Aug 27)
- Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
- Re: IPv6 support in firewalls Paul D. Robertson (Aug 27)
- Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
- Re: IPv6 support in firewalls Paul D. Robertson (Aug 27)
- Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
- Re: IPv6 support in firewalls Paul D. Robertson (Aug 27)
- Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
- Re: IPv6 support in firewalls ArkanoiD (Aug 28)