[94615] in North American Network Operators' Group
Re: Google wants to be your Internet
daemon@ATHENA.MIT.EDU (Bernhard Schmidt)
Mon Jan 29 20:35:39 2007
To: nanog@merit.edu
From: Bernhard Schmidt <berni@birkenwald.de>
Date: Tue, 30 Jan 2007 02:20:35 +0100
X-Complaints-To: usenet@sea.gmane.org
Errors-To: owner-nanog@merit.edu
Henning Brauer <hb-nanog@bsws.de> wrote:
>> > IPv6 makes NAT obsolete because IPv6 firewalls can provide all
>> > the useful features of IPv4 NAT without any of the downsides.
>> ...
>>
>> IPv6 firewalls? Where? Good ones?
> OpenBSD's pf has support for v6 for years now.
Which works pretty well if you forget one tiny thing (from pf.conf(5))
| FRAGMENT HANDLING
| [...]
| Currently, only IPv4 fragments are supported and IPv6 fragments are
| blocked unconditionally.
which can bite you in the ass pretty hard if you don't expect it.
Fragments are valid packets and crucial for many applications, so
unconditional blocking (even with a "pass inet6 from any to any"
policy) is bad.
Other working solutions are
- Linux + nf_conntrack (maybe in a few kernel versions, there was an
OOPS in 2.6.20-rc5 with (tadaaa) fragment handling, fixed though)
- Cisco ASA and FWSM
- IIRC Juniper (Netscreen) firewalls
and I guess some more.
Regards,
Bernhard
