BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPv6 and Firewall traversal

Subject: IPv6 and Firewall traversal
From: bogstad-e+AXbWqSrlAAvxtiuMwx3w at public.gmane.org (Bill Bogstad)
Date: Wed, 30 Mar 2011 11:06:59 -0400
In-reply-to: <757CAF55-5FFC-4066-A5F1-CBD4B9079ABC-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
References: <000a01cbeee3$47d63a80$d782af80$@nedharvey.com> <757CAF55-5FFC-4066-A5F1-CBD4B9079ABC@gmail.com>

On Wed, Mar 30, 2011 at 10:33 AM, Richard Pieri <Richard.Pieri-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> On Mar 30, 2011, at 10:03 AM, Edward Ned Harvey wrote:
>>
>> One of the barriers to widespread deployment of IPv6 is fear about security.
>> People have come to rely on their IPv4 NAT as a form of inbound packet
>> filter. ?So moving forward, it seems only natural that (for people who agree
>
> Anyone who relies on NAT for security has almost no network security (see: source IP spoofing). ?NAT is not, and never has been, about security. ?It exists to address the limited address space in IPv4 but it is not formally part of IPv4. ?NAT is, ultimately, a clever hack used to link non-routable networks to routable networks.

Source IP spoofing is only possible when people don't put in
appropriate filters to disallow
packets coming from the outside with the wrong IP address.   In a
NATed environment, you
are typically at the 'edge' of the Internet and it is relatively
straightforward to know what
addresses must come from inside your network perimeter vs. the outside.  So yes,
NAT all by itself isn't great security.  However, it isn't that bad
when you add some
trivially automatable packet filtering.   It's big advantage is that
for simple TCP client/server traffic
it 'just works' with arbitrary ports.  If you trust your internal
clients to access external
servers, then NAT's automatic 'hole punching' for return traffic is
nice.  UDP is another story
and requires more sophisticated hole punching mechanisms which is
usually done at
the same time as IPv4 NAT with NAT-PMP or IGD.

> IPv6 removes this necessity. ?Thus, no NAT for IPv6. ?And hopefully there never will be. ?IPv6 has link-local and site-local addressing, which eliminates the need for segregating non-routable networks. ?This is built into the specification. ?For everything else there is SPI.

I'm not sure that I would define SPI as including automatic (or
automatable) hole punching,
but if you do then yes SPI is probably good enough to replace how IPv4
NAT is typically used.
Do all IPv6 SPI implementations have these kind of capabilities?  I
really don't know.

Bill Bogstad

References:
- IPv6 and Firewall traversal
  - From: blu-Z8efaSeK1ezqlBn2x/YWAg at public.gmane.org (Edward Ned Harvey)
- IPv6 and Firewall traversal
  - From: Richard.Pieri-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org (Richard Pieri)

Prev by Date: IPv6 and Firewall traversal
Next by Date: IPv6 and Firewall traversal
Previous by thread: IPv6 and Firewall traversal
Next by thread: IPv6 and Firewall traversal
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org