Important IPv6 Policy Issue -- Your Input Requested

Jerry_Eyers3 · November 10, 2004, 8:14am

“Get a firewall” is not a valid response when you have lusers
to drop the latest netgear whatever onto their PC and dial
to some provider somewhere. Your firewall is useless to
protect that segment. In many cases NAT is the ONLY
protection you end up with in this scenario, a scenario that
is far to common in the corporate world.

Jerry

Haesu · November 9, 2004, 8:24pm

Then get a stateful firewall. NAT == stateful fw + header map/mod
done/done.

-J

Bandy_Rush1 · November 9, 2004, 8:27pm

"Get a firewall" is not a valid response when you have lusers
to drop the latest netgear whatever onto their PC and dial
to some provider somewhere. Your firewall is useless to
protect that segment. In many cases NAT is the ONLY
protection you end up with in this scenario, a scenario that
is far to common in the corporate world.

and do explain how a user coming in with their laptop and
dialing a provider is gonna be affected by your nat

randy

Valdis_Kletnieks · November 9, 2004, 9:15pm

And NAT does what, exactly, to defend you against a PC that has
one interface on the NAT'ed network and one interface "elsewhere/elsewhen"
(be it a netgear, or somebody at the far end of a VPN, or a laptop
that was connected externally, and now is on the corporate LAN)?

There's a *reason* why Bill Cheswick said "A crunchy shell around
a soft, chewy inside"......

michael.dillon2 · November 10, 2004, 2:46pm

and do explain how a user coming in with their laptop and
dialing a provider is gonna be affected by your nat

If IPv6 had "local scope" addresses, then NAT would not be
necessary to prevent traffic from flowing through the
unauthorized link. I know that the IETF has deprecated
local scope addresses but I'm curious whether any of the
router vendors currently support local scope addresses
in their equipment.

--Michael Dillon

Jeroen_Massar1 · November 10, 2004, 2:52pm

"local scope" is back in the form of the ULA stuff.
Which takes away the problem of local scope which was merely RFC1918.

Routing vendors in general don't really care about those things.
Otherwise they would have long gone been pre-configuring rfc1918
filters and other want-to-haves per default, but they don't.
Remember that when there is a problem, somebody needs to be called
(and thus payed) for support. NAT is a nice money business...
"It doesn't work, let's call the expensive NAT guru"

Greets,
Jeroen

Bandy_Rush1 · November 10, 2004, 2:55pm

If IPv6 had "local scope" addresses, then NAT would not be
necessary to prevent traffic from flowing through the
unauthorized link.

yes. just like we see no 1918 leakage now.

randy