Re: Cool IPv6 Stuff

[Iljitsch van Beijnum <iljitsch () muada com>]

On 5-jun-2007, at 4:29, Adrian Chadd wrote:

> > Don't forget that the reason NAT works to the degree that it does
> > today is because of all the workarounds in applications or protocol-
> > specific workarounds in the NATs (ALGs). In IPv6, you don't have any
> > of this stuff, so IPv6 NAT gets you nowhere fast with any protocol
> > that does more than something HTTP-like. (Yes, I've tried it.)

> Won't stateful firewalls have similar issues? Ie, if you craft a  
> stateful
> firewall to allow an office to have real IPv6 addresses but not to  
> allow
> arbitrary connections in/out (ie, the "stateful" bit), won't said  
> stateful
> require protocol tracking modules with similar (but not -as-)  
> complexity
> to the existing NAT modules?

I'm afraid so, yes.

http://arstechnica.com/articles/paedia/ipv6-firewall-mixed-blessing.ars