Firewall Wizards mailing list archives

Re: IPv6

From: John Kougoulos <koug () intranet gr>
Date: Thu, 30 Dec 2010 10:29:07 +0200

On 12/29/2010 11:33 AM, Martin Barry wrote:

$quoted_author = "Mathew Want" ;


Because I do not want my worktations to be routed to from the internet.


Then you want a stateful firewall, not NAT66.

Or do you have other reasons for wanting NAT66?


I see NAT66 helpful on eg site-to-site VPNs.

eg. Suppose that I have the prefix 2001:db8:85a3::/48 and I have some my
internet accessible machines on 2001:db8:85a3:3::/64 and some "internal"
machines on 2001:db8:85a3:2::/64 , 2001:db8:85a3:4::/64.

If the other side of the site-to-site VPN routes the whole
2001:db8:85a3::/48 over the VPN in order to access the "internal"
machines, they will try to access also the Internet accessible machines
over the site-to-site VPN, which could mean that they may bypass some

controls, or that I have to open tons of ACLs on various firewalls, notto mention the possible asymmetric routing issues.

If I could NAT66 the 2001:db8:85a3::/48 to a ULA::/48 space, I believeit would be much easier to manage, since the other side would have toroute the ULA space to the VPN.


Regards,
John Kougoulos

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: IPv6, (continued)
- Re: IPv6 ArkanoiD (Dec 26)
- Re: IPv6 Devdas Bhagat (Dec 26)
  - Re: IPv6 Timothy Shea (Dec 26)
    - Re: IPv6 Carl Friedberg (Dec 27)
    - Re: IPv6 Jim Seymour (Dec 27)
    - Re: IPv6 Orca (Dec 27)
- Re: IPv6 Roger Marquis (Dec 26)
  - Re: IPv6 sai (Dec 26)
    - Re: IPv6 Mathew Want (Dec 27)
    - Re: IPv6 Martin Barry (Dec 29)
    - Re: IPv6 John Kougoulos (Dec 30)
    - Re: IPv6 Martin Barry (Dec 30)