[171093] in North American Network Operators' Group
Re: Requirements for IPv6 Firewalls
daemon@ATHENA.MIT.EDU (Matt Palmer)
Fri Apr 18 02:58:33 2014
Date: Fri, 18 Apr 2014 16:57:57 +1000
From: Matt Palmer <mpalmer@hezmatt.org>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <CAFy81rkaY5OEQyuCEnHHYpUvC_Lb3Kh5gqZ6aZ7qKcZ9UoFNCQ@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Apr 17, 2014 at 09:05:17PM -0500, Timothy Morizot wrote:
> On Apr 17, 2014 7:52 PM, "Matthew Kaufman" <matthew@matthew.at> wrote:
> > While you're at it, the document can explain to admins who have been
> burned, often more than once, by the pain of re-numbering internal services
> at static addresses how IPv6 without NAT will magically solve this problem.
>
> If you're worried about that issue, either get your own end user
> assignment(s) from ARIN or use ULA internally and employ NAT-PT (prefix
> translation) at the perimeter. That's not even a hard question.
Why use NAT-PT in that instance? Since IPv6 interfaces are happy running
with multiple addresses, the machines can have their publically-accessable
address and also their ULA address, with internal services binding to (and
referring to, via DNS, et al) the ULA address; when you change providers,
the publically-accessable address changes (whoopee!), but the internal
service address doesn't.
- Matt
