Firewall Wizards mailing list archives

Re: IPv6

From: Martin Barry <marty () supine com>
Date: Thu, 30 Dec 2010 09:48:24 +0100

$quoted_author = "John Kougoulos" ;


I see NAT66 helpful on eg site-to-site VPNs.

eg. Suppose that I have the prefix 2001:db8:85a3::/48 and I have some my
internet accessible machines on 2001:db8:85a3:3::/64 and some "internal"
machines on 2001:db8:85a3:2::/64 , 2001:db8:85a3:4::/64.

If the other side of the site-to-site VPN routes the whole
2001:db8:85a3::/48 over the VPN in order to access the "internal"
machines, they will try to access also the Internet accessible machines
over the site-to-site VPN, which could mean that they may bypass some
controls, or that I have to open tons of ACLs on various firewalls,
not to mention the possible asymmetric routing issues.

If I could NAT66 the 2001:db8:85a3::/48 to a ULA::/48 space, I
believe it would be much easier to manage, since the other side
would have to route the ULA space to the VPN.


Why not just build the VPN with only the two /64s in the configuration and
not the entire /48?

And if you need to adjust routing and other firewalls, surely that's the
best way to do it rather than NATing them into some IPs that are already
privilaged.

cheers
Marty
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: IPv6, (continued)
- Re: IPv6 Devdas Bhagat (Dec 26)
  - Re: IPv6 Timothy Shea (Dec 26)
    - Re: IPv6 Carl Friedberg (Dec 27)
    - Re: IPv6 Jim Seymour (Dec 27)
    - Re: IPv6 Orca (Dec 27)
- Re: IPv6 Roger Marquis (Dec 26)
  - Re: IPv6 sai (Dec 26)
    - Re: IPv6 Mathew Want (Dec 27)
    - Re: IPv6 Martin Barry (Dec 29)
    - Re: IPv6 John Kougoulos (Dec 30)
    - Re: IPv6 Martin Barry (Dec 30)