nanog mailing list archives
Re: Cool IPv6 Stuff
From: Adrian Chadd <adrian () creative net au>
Date: Tue, 5 Jun 2007 10:29:43 +0800
On Mon, Jun 04, 2007, Iljitsch van Beijnum wrote:
On 4-jun-2007, at 17:37, Donald Stahl wrote:I want NAT to die but I think it won't.Far too many "security" folks are dictating actual implementation details and that's fundamentally wrong.A security policy should read "no external access to the network" and it should be up to the network/firewall folks to determine how best to make that happen. Unfortunately many security policies go so far as to explicitly require NAT.Don't forget that the reason NAT works to the degree that it does today is because of all the workarounds in applications or protocol- specific workarounds in the NATs (ALGs). In IPv6, you don't have any of this stuff, so IPv6 NAT gets you nowhere fast with any protocol that does more than something HTTP-like. (Yes, I've tried it.)
Won't stateful firewalls have similar issues? Ie, if you craft a stateful firewall to allow an office to have real IPv6 addresses but not to allow arbitrary connections in/out (ie, the "stateful" bit), won't said stateful require protocol tracking modules with similar (but not -as-) complexity to the existing NAT modules? Adrian
Current thread:
- Cool IPv6 Stuff Jeroen Massar (Jun 01)
- Message not available
- Re: Cool IPv6 Stuff Jeroen Massar (Jun 01)
- Message not available
- Re: Cool IPv6 Stuff Jared Mauch (Jun 03)
- Re: Cool IPv6 Stuff Sam Stickland (Jun 04)
- Re: Cool IPv6 Stuff Adrian Chadd (Jun 04)
- Message not available
- Re: Cool IPv6 Stuff Sam Stickland (Jun 04)
- Re: Cool IPv6 Stuff Donald Stahl (Jun 04)
- Re: Cool IPv6 Stuff Iljitsch van Beijnum (Jun 04)
- Re: Cool IPv6 Stuff Adrian Chadd (Jun 04)
- Re: Cool IPv6 Stuff Donald Stahl (Jun 04)
- Re: Cool IPv6 Stuff Adrian Chadd (Jun 04)
- Re: Cool IPv6 Stuff Iljitsch van Beijnum (Jun 06)
- Re: Cool IPv6 Stuff Sam Stickland (Jun 04)
- Re: Cool IPv6 Stuff Joel Jaeggli (Jun 04)
- Re: Cool IPv6 Stuff Owen DeLong (Jun 04)
- Security gain from NAT (was: Re: Cool IPv6 Stuff) Jim Shankland (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Joe Abley (Jun 04)
- Re: Security gain from NAT Sam Stickland (Jun 04)
- RE: Security gain from NAT Howard C. Berkowitz (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Owen DeLong (Jun 04)