[64666] in North American Network Operators' Group
Re: IPv6 NAT
daemon@ATHENA.MIT.EDU (Owen DeLong)
Thu Oct 30 12:23:31 2003
Date: Thu, 30 Oct 2003 09:22:24 -0800
From: Owen DeLong <owen@delong.com>
To: Michael.Dillon@radianz.com, nanog@merit.edu
In-Reply-To: <OF99A6345E.CA71D9CD-ON80256DCF.0052FA4F-80256DCF.00547F99@radianz.com>
Errors-To: owner-nanog-outgoing@merit.edu
--==========941EE33FE3A4C199604F==========
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
In fact, Michael, there is no reason someone can't do everything you
describe with IPv4 if they are using unique address space.
Owen
--On Thursday, October 30, 2003 3:22 PM +0000 Michael.Dillon@radianz.com=20
wrote:
>
>> NAT also has the advantage that if packets do leak
>> bogon filters at the border will drop them.
>
> NAT is simply an algorithm which causes a firewall to
> drop all traffic which doesn't match an entry in a
> set of internal state tables. The NAT algorithm sets
> up these state tables based on outgoing traffic and
> based on specific operator configurations, i.e. static
> NAT mappings.
>
> This algorithm can be implemented in a trivial piece
> of software that runs on cheap, low-power devices
> commonly used in things like DSL routers.
>
> The IPv6 folks are claiming that you can very easily
> implement the same type of algorithm on IPv6 routers to
> drop all traffic which doesn't match an entry in a
> set of internal state tables. The IPv6 algorithm would set
> up these state tables based on outgoing traffic and
> based on specific operator configurations, i.e. static
> enabled addresses.
>
> The only difference is that the IPv6 device never changes
> the packet contents, i.e. never replaces source or
> destination addresses in the headers. The IPv6 version can
> still drop traffic and can still dynamically enable certain
> incoming traffic based upon detection of an outgoing TCP
> session starting up. It could even do port redirection if
> that was still useful to people. It could also allow operator
> configuration to enable incoming traffic to specific addresses.
> The IPv6 version would be just as secure as an IPv4 NAT device
> but it would not interfere with protocol functioning.
>
> Now, I'm not claiming that every device capable of IPv4 NAT is currently
> able
> to function in this way, but there are no technical barriers to prevent
> manufacturers
> from making IPv6 devices that function in this way. The IPv6 vendor
> marketing
> folks can even invent terms like NAT (Network Authority Technology) to
> describe
> this simple IPv6 firewall function, i.e. IPv6 NAT.
>
> It wouldn't be the first time that acronyms have been reinvented, e.g.
> RED, GSM.
> --Michael Dillon
--=20
If it wasn't signed, it probably didn't come from me.
--==========941EE33FE3A4C199604F==========
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)
iD8DBQE/oUjUn5zKWQ/iqj0RAkqdAJ9Pnx7ZJPcmSTtExiRUOquU6kEOuACeO5zX
AcBaawbII+kJqlXXCJmEvvM=
=ZKUJ
-----END PGP SIGNATURE-----
--==========941EE33FE3A4C199604F==========--