[97249] in North American Network Operators' Group
Re: Cool IPv6 Stuff
daemon@ATHENA.MIT.EDU (Adrian Chadd)
Mon Jun 4 22:28:40 2007
Date: Tue, 5 Jun 2007 10:29:43 +0800
From: Adrian Chadd <adrian@creative.net.au>
To: Iljitsch van Beijnum <iljitsch@muada.com>
Cc: NANOG list <nanog@nanog.org>
In-Reply-To: <D9E2900A-81D7-4590-9BBD-17E97DAF8344@muada.com>
Errors-To: owner-nanog@merit.edu
On Mon, Jun 04, 2007, Iljitsch van Beijnum wrote:
>
> On 4-jun-2007, at 17:37, Donald Stahl wrote:
>
> >>I want NAT to die but I think it won't.
>
> >Far too many "security" folks are dictating actual implementation
> >details and that's fundamentally wrong.
>
> >A security policy should read "no external access to the network"
> >and it should be up to the network/firewall folks to determine how
> >best to make that happen. Unfortunately many security policies go
> >so far as to explicitly require NAT.
>
> Don't forget that the reason NAT works to the degree that it does
> today is because of all the workarounds in applications or protocol-
> specific workarounds in the NATs (ALGs). In IPv6, you don't have any
> of this stuff, so IPv6 NAT gets you nowhere fast with any protocol
> that does more than something HTTP-like. (Yes, I've tried it.)
Won't stateful firewalls have similar issues? Ie, if you craft a stateful
firewall to allow an office to have real IPv6 addresses but not to allow
arbitrary connections in/out (ie, the "stateful" bit), won't said stateful
require protocol tracking modules with similar (but not -as-) complexity
to the existing NAT modules?
Adrian
