nanog mailing list archives

Re: IPv6 uptake (was: The Reg does 240/4)

From: Justin Streiner <streinerj () gmail com>
Date: Sat, 17 Feb 2024 13:22:31 -0500

We went pretty deep into the weeds on NAT in this thread - far deeper than
I expected ;)

Getting back to the recently revised topic of this thread - IPv6 uptake -
what have peoples' experiences been related to crafting sane v6 firewall
rulesets in recent products from the major firewall players (Palo Alto,
Cisco, Fortinet, etc)?  On the last major v6 deployment I did, working with
the firewalls was definitely one of the major pain points because the
support / stability was really lacking, or there wasn't full feature parity
between their v4 and v6 capabilities.

Thank you
jms

On Fri, Feb 16, 2024 at 11:04 PM William Herrin <bill () herrin us> wrote:

On Fri, Feb 16, 2024 at 7:41 PM John R. Levine <johnl () iecc com> wrote:

That it's possible to implement network security well without using
NAT does not contradict the claim that NAT enhances network security.


I think we're each overgeneralizing from our individual expeience.

You can configure a V6 firewall to be default closed as easily as you can
configure a NAT.


Hi John,

We're probably not speaking the same language. You're talking about
configuring the function of one layer in a security stack. I'm talking
about adding or removing a layer in a security stack. Address
overloaded NAT in conjunction with private internal addresses is an
additional layer in a security stack. It has security-relevant
properties that the other layers don't duplicate. Regardless of how
you configure it.

Also, you can't "configure" a layer to be default closed. That's a
property of the security layer. It either is or it is not.

You can configure a layer to be "default deny," which I assume is what
you meant. The issue is that anything that can be configured can be
accidentally unconfigured. When default-deny is accidentally
unconfigured, the network becomes wide open. When NAT is accidentally
unconfigured, the network stops functioning entirely. The gate is
closed.

Regards,
Bill Herrin


--
William Herrin
bill () herrin us
https://bill.herrin.us/

Current thread:

Re: IPv6 uptake, (continued)
- - - Re: IPv6 uptake Nick Hilliard (Feb 18)
    - Re: IPv6 uptake John Levine (Feb 18)
    - RE: IPv6 uptake (was: The Reg does 240/4) Howard, Lee via NANOG (Feb 19)
    - Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 19)
    - Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 18)
    - Re: IPv6 uptake (was: The Reg does 240/4) John Levine (Feb 16)
    - Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
    - Re: IPv6 uptake (was: The Reg does 240/4) John R. Levine (Feb 16)
    - Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
    - Re: IPv6 uptake (was: The Reg does 240/4) Ryan Hamel (Feb 16)
    - Re: IPv6 uptake (was: The Reg does 240/4) Justin Streiner (Feb 17)
    - Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
    - Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 17)
    - Re: IPv6 uptake (was: The Reg does 240/4) Steven Sommars (Feb 18)
    - Re: IPv6 uptake Stephen Satchell (Feb 17)
    - Re: IPv6 uptake (was: The Reg does 240/4) Tom Beecher (Feb 17)
    - Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
    - Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
    - RE: IPv6 uptake (was: The Reg does 240/4) Howard, Lee via NANOG (Feb 19)
    - Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 19)
    - Re: IPv6 uptake (was: The Reg does 240/4) Jay R. Ashworth (Feb 16)

(Thread continues...)