[171117] in North American Network Operators' Group
Re: Requirements for IPv6 Firewalls
daemon@ATHENA.MIT.EDU (Doug Barton)
Fri Apr 18 15:01:05 2014
Date: Fri, 18 Apr 2014 11:59:04 -0700
From: Doug Barton <dougb@dougbarton.us>
To: Enno Rey <erey@ernw.de>, nanog@nanog.org
In-Reply-To: <20140418075731.GA10795@ernw.de>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 04/18/2014 12:57 AM, Enno Rey wrote:
> I fully second Sander's input. I've been involved in IPv6 planning in a number of very large enterprises now and_none_ of them required/asked for (66/overloading) NAT for their firewall environments. A few think about very specific deployments of NPTv6 like stuff for connections to supplier/partner networks (to map those to their own address space) but these are corner cases not even relevant for their "firewalls".
How many of those networks were implementing with IPv6 PI space? My
experience has been that those customers are not interested in IPv6 NAT,
but instead utilize network segmentation to define "internal" vs.
"external."
OTOH, customers for whom PI space is not realistic (for whatever
reasons, and yes there are reasons) are very interested in the
combination of ULA + NTPv6 to handle internal resources without having
to worry about renumbering down the road.
Doug
