[97287] in North American Network Operators' Group
Re: Cool IPv6 Stuff
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Wed Jun 6 06:57:44 2007
In-Reply-To: <20070605022942.GF17495@skywalker.creative.net.au>
Cc: NANOG list <nanog@nanog.org>
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Wed, 6 Jun 2007 09:48:36 +0200
To: Adrian Chadd <adrian@creative.net.au>
Errors-To: owner-nanog@merit.edu
On 5-jun-2007, at 4:29, Adrian Chadd wrote:
>> Don't forget that the reason NAT works to the degree that it does
>> today is because of all the workarounds in applications or protocol-
>> specific workarounds in the NATs (ALGs). In IPv6, you don't have any
>> of this stuff, so IPv6 NAT gets you nowhere fast with any protocol
>> that does more than something HTTP-like. (Yes, I've tried it.)
> Won't stateful firewalls have similar issues? Ie, if you craft a
> stateful
> firewall to allow an office to have real IPv6 addresses but not to
> allow
> arbitrary connections in/out (ie, the "stateful" bit), won't said
> stateful
> require protocol tracking modules with similar (but not -as-)
> complexity
> to the existing NAT modules?
I'm afraid so, yes.
http://arstechnica.com/articles/paedia/ipv6-firewall-mixed-blessing.ars
