BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPv6 and Firewall traversal

Subject: IPv6 and Firewall traversal
From: cra-WCkJK2/AXBA at public.gmane.org (Chuck Anderson)
Date: Wed, 30 Mar 2011 12:32:14 -0400
In-reply-to: <AANLkTinMHx_YugaktJS3X6q7ysfksSW3yRo5aTT8xG0f-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
References: <000a01cbeee3$47d63a80$d782af80$@nedharvey.com> <757CAF55-5FFC-4066-A5F1-CBD4B9079ABC@gmail.com> <AANLkTinMHx_YugaktJS3X6q7ysfksSW3yRo5aTT8xG0f@mail.gmail.com>

On Wed, Mar 30, 2011 at 11:09:10AM -0400, Rob Hasselbaum wrote:
> On Wed, Mar 30, 2011 at 10:33 AM, Richard Pieri <Richard.Pieri-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>wrote:
> > Anyone who relies on NAT for security has almost no network security (see:
> > source IP spoofing).  NAT is not, and never has been, about security.  It
> > exists to address the limited address space in IPv4 but it is not formally
> > part of IPv4.  NAT is, ultimately, a clever hack used to link non-routable
> > networks to routable networks.

Agreed.

> > IPv6 removes this necessity.  Thus, no NAT for IPv6.  And hopefully there
> > never will be.  IPv6 has link-local and site-local addressing, which
> > eliminates the need for segregating non-routable networks.  This is built
> > into the specification.  For everything else there is SPI.

Site-local addresses are deprecated:

http://tools.ietf.org/html/rfc3879

and replaced by Unique Local Addressing (ULA):

http://tools.ietf.org/html/rfc4193

> Agreed, NAT is not a required ingredient for an effective firewall. Apples
> and oranges. It does, however, provide source obfuscation for individual
> machines on a LAN, and there is some value in that. For example, I suspect

We have Privacy Addressing:

http://tools.ietf.org/html/rfc4941

> if it weren't for NAT, consumers would be paying their ISPs "per-node"
> connection fees. If things move in that direction in a mostly-IPv6 world, we
> could see a resurgence of NAT.

That is not supposed to happen.  There is no reason for an ISP to hand 
out IPv6 addresses one /128 at a time.  They would be creating a 
management nightmare for themselves and hurting their customers.  The 
latest recommendations on prefix sizing are here:

http://tools.ietf.org/html/rfc5375
http://tools.ietf.org/html/rfc6177

There is rough consensus that residential customers will be provided a 
/56 prefix, enough for 256 /64 subnets, but there is no hard 
requirement on that specific size.

References:
- IPv6 and Firewall traversal
  - From: blu-Z8efaSeK1ezqlBn2x/YWAg at public.gmane.org (Edward Ned Harvey)
- IPv6 and Firewall traversal
  - From: Richard.Pieri-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org (Richard Pieri)
- IPv6 and Firewall traversal
  - From: rob-IdUdaS/NwSyQrzRDRVclEQ at public.gmane.org (Rob Hasselbaum)

Prev by Date: NATing IPv6
Next by Date: IPv6 and Firewall traversal
Previous by thread: IPv6 and Firewall traversal
Next by thread: IPv6 and Firewall traversal
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org