[111635] in North American Network Operators' Group
Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space
daemon@ATHENA.MIT.EDU (Mark Newton)
Mon Feb 9 18:34:00 2009
From: Mark Newton <newton@internode.com.au>
To: Stephen Sprunk <stephen@sprunk.org>
In-Reply-To: <4990BB43.8020909@sprunk.org>
Date: Tue, 10 Feb 2009 10:03:41 +1030
Cc: north American Noise and Off-topic Gripes <nanog@merit.edu>
Errors-To: nanog-bounces@nanog.org
On 10/02/2009, at 9:54 AM, Stephen Sprunk wrote:
>
> Yes, an ALG needs to understand the packet format to open pinholes
> -- but with NAT, it also needs to mangle the packets. A non-NAT
> firewall just examines the packets and then passes them on unmangled.
Sure, but at the end of the day a non-NAT firewall is just a special
case
of NAT firewall where the "inside" and "outside" addresses happen to
be the same.
If I was a commodity consumer hardware manufacturer, that's how I'd
handle
the IPv6 firewalling problem, because that'd let me pass non-NAT'ed v6
packets and NAT'ed v4 packets through the same code paths, thereby
enabling
me to avoid reinventing the entire wheel (and an entire new set of bugs)
to do v6 firewalling.
DSL/Cable CPE is already full of v4 ALGs, and it's reasonable to
expect that
the only difference between those and the equivalent v6 ALGs will be the
lack of v6 NAT.
- mark
--
Mark Newton Email: newton@internode.com.au
(W)
Network Engineer Email:
newton@atdot.dotat.org (H)
Internode Pty Ltd Desk: +61-8-82282999
"Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223
