IPv6 and Firewall traversal
Richard Pieri
Richard.Pieri-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Wed Mar 30 10:33:55 EDT 2011
On Mar 30, 2011, at 10:03 AM, Edward Ned Harvey wrote:
>
> One of the barriers to widespread deployment of IPv6 is fear about security.
> People have come to rely on their IPv4 NAT as a form of inbound packet
> filter. So moving forward, it seems only natural that (for people who agree
Anyone who relies on NAT for security has almost no network security (see: source IP spoofing). NAT is not, and never has been, about security. It exists to address the limited address space in IPv4 but it is not formally part of IPv4. NAT is, ultimately, a clever hack used to link non-routable networks to routable networks.
IPv6 removes this necessity. Thus, no NAT for IPv6. And hopefully there never will be. IPv6 has link-local and site-local addressing, which eliminates the need for segregating non-routable networks. This is built into the specification. For everything else there is SPI.
--Rich P.
More information about the Discuss
mailing list