[136519] in North American Network Operators' Group
RE: quietly....
daemon@ATHENA.MIT.EDU (Matthew Huff)
Thu Feb 3 12:24:10 2011
From: Matthew Huff <mhuff@ox.com>
To: Jon Lewis <jlewis@lewis.org>, Iljitsch van Beijnum <iljitsch@muada.com>
Date: Thu, 3 Feb 2011 11:58:27 -0500
In-Reply-To: <Pine.LNX.4.61.1102031133450.5148@soloth.lewis.org>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Yes, but unless that ipv6 that isn't globally routed is NAT66 to the outsid=
e world, then it wouldn't have external access.
> -----Original Message-----
> From: Jon Lewis [mailto:jlewis@lewis.org]
> Sent: Thursday, February 03, 2011 11:41 AM
> To: Iljitsch van Beijnum
> Cc: nanog@nanog.org
> Subject: Re: quietly....
>=20
> On Thu, 3 Feb 2011, Iljitsch van Beijnum wrote:
>=20
> > On 3 feb 2011, at 17:16, Jon Lewis wrote:
> >
> >> When someone breaks or shuts off that filter, traffic through the NAPT=
firewall stops working. On
> the stateful firewall with public IPs on both sides, everything works...i=
ncluding the traffic you
> didn't want.
> >
> >> People are going to want NAT66...and not providing it may slow down IP=
v6 adoption.
> >
> > Hm, if you turn off the NAT66 function, wouldn't the traffic pass throu=
gh unhindered, too?
>=20
> Outbound traffic would. Inbound, if on the inside, you're using IPv6
> space that's not globally routed, won't. Just like what happens now with
> NAPT with rfc1918 space on the inside when you stop doing
> translation...private IP traffic leaks out...but nothing comes back
> because there is no return path.
>=20
> ----------------------------------------------------------------------
> Jon Lewis, MCP :) | I route
> Senior Network Engineer | therefore you are
> Atlantic Net |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
