Re: Cool IPv6 Stuff

[Adrian Chadd <adrian () creative net au>]

On Mon, Jun 04, 2007, Iljitsch van Beijnum wrote:
> On 4-jun-2007, at 17:37, Donald Stahl wrote:
>
> > > I want NAT to die but I think it won't.
>
> > Far too many "security" folks are dictating actual implementation  
> > details and that's fundamentally wrong.
>
> > A security policy should read "no external access to the network"  
> > and it should be up to the network/firewall folks to determine how  
> > best to make that happen. Unfortunately many security policies go  
> > so far as to explicitly require NAT.
>
> Don't forget that the reason NAT works to the degree that it does  
> today is because of all the workarounds in applications or protocol- 
> specific workarounds in the NATs (ALGs). In IPv6, you don't have any  
> of this stuff, so IPv6 NAT gets you nowhere fast with any protocol  
> that does more than something HTTP-like. (Yes, I've tried it.)

Won't stateful firewalls have similar issues? Ie, if you craft a stateful
firewall to allow an office to have real IPv6 addresses but not to allow
arbitrary connections in/out (ie, the "stateful" bit), won't said stateful
require protocol tracking modules with similar (but not -as-) complexity
to the existing NAT modules?




Adrian