[97251] in North American Network Operators' Group
Re: Cool IPv6 Stuff
daemon@ATHENA.MIT.EDU (Donald Stahl)
Mon Jun 4 23:37:42 2007
Date: Mon, 4 Jun 2007 23:36:52 -0400 (EDT)
From: Donald Stahl <don@calis.blacksun.org>
To: Adrian Chadd <adrian@creative.net.au>
Cc: Iljitsch van Beijnum <iljitsch@muada.com>,
NANOG list <nanog@nanog.org>
In-Reply-To: <20070605022942.GF17495@skywalker.creative.net.au>
Errors-To: owner-nanog@merit.edu
> Won't stateful firewalls have similar issues? Ie, if you craft a stateful
> firewall to allow an office to have real IPv6 addresses but not to allow
> arbitrary connections in/out (ie, the "stateful" bit), won't said stateful
> require protocol tracking modules with similar (but not -as-) complexity
> to the existing NAT modules?
It's a lot easier to write a firewall module that monitors a SIP
connection to allow for bi-directional traffic than it is to monitor for
such connections and rewrite the packets.
Not to mention- what happens when the SIP traffic (for example) goes out
with 1918 addresses in the packets? The firewall never sees the return
traffic because the destination system is trying to send traffic to a
private address- it gets lost in the ether and troubleshooting becomes a
pain. With real addresses in the packets the traffic will at least make it
back to the firewall- even if the firewall doesn't know how to handle
them. At that point you know what's happening and can either correct the
rules, enable a proxy, or yell at your firewall vendor.
-Don
