Home page logo
nanog logo
NANOG Mailing List

The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

List Archives


Latest Posts

Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 18)
On Thu, Apr 17, 2014 at 11:45 PM, George Herbert
<george.herbert () gmail com>wrote:

That's why you have gazzilions of IP addresses in IPv6, so you don't need
to NAT anything (among other things). I don't understand why people cling
to NAT stuff when you can just route.

You treat IPv6 like the only protocol running and design the implementation
taking that into consideration. Where necessary you publish AAAA records
and so...

Re: Requirements for IPv6 Firewalls Seth Mos (Apr 18)
Sounds good in theory, I tried it but it got ugly really fast. Before
you know it you have a layers of obfuscation, and even more work to get
it to work right. That's really not a good argument for the general IPv6

Then there's the issue of making not just hosts do address selection but
bringing that down to making applications choose address selection. As a
admin I really don't want to go there. I just want a central point...

Re: Requirements for IPv6 Firewalls Matt Palmer (Apr 18)
Why use NAT-PT in that instance? Since IPv6 interfaces are happy running
with multiple addresses, the machines can have their publically-accessable
address and also their ULA address, with internal services binding to (and
referring to, via DNS, et al) the ULA address; when you change providers,
the publically-accessable address changes (whoopee!), but the internal
service address doesn't.

- Matt

Re: Requirements for IPv6 Firewalls Seth Mos (Apr 18)
Op 17 apr. 2014, om 20:50 heeft William Herrin <bill () herrin us> het volgende geschreven:

Having deployed IPv6 at the internet point and halfway into the company I work for I can tell you that I am *really*
glad that I can now see what a firewall rule does properly instead of also having to peer at the NAT table which is 1:1
or a port forward etc. Also, when IPv4 NAT and rules don’t match up, hilarity ensues.

It greatly improves my...

Internap Contact? Carlos Kamtha (Apr 18)

I was wondering if anyone can recommend a good contact at Internap
to discuss thier anycast services.

Please contact me directly. Any help is greatly appreciated..



Re: Requirements for IPv6 Firewalls Matthew Kaufman (Apr 18)
I think I got you to say "NAT"

Matthew Kaufman

(Sent from my iPhone)

Re: Thank you Comcast Doug Barton (Apr 18)
Please don't reply to a message on the list and change the subject line.
Doing so causes your new topic to show "under" the previous one for
those using mail readers that thread properly, and may cause your
message to be missed altogether if someone has blocked that thread.

Instead, save the list address and start a completely new message.

hope this helps,


Re: Thank you Comcast Mehmet Akcin (Apr 18)
+ Redmond, WA. Good job guys.


Re: Requirements for IPv6 Firewalls Brandon Ross (Apr 18)
Until you responded, Timothy, I didn't realize that Matthew was being

Thank you Comcast Michael T. Voity (Apr 18)
To the Comcast v6 Team,

Thank you for enabling my CMTS for v6 in Colchester, VT

Works great!



Michael T. Voity
Network Engineer
University of Vermont

Re: Requirements for IPv6 Firewalls Timothy Morizot (Apr 18)
burned, often more than once, by the pain of re-numbering internal services
at static addresses how IPv6 without NAT will magically solve this problem.

If you're worried about that issue, either get your own end user
assignment(s) from ARIN or use ULA internally and employ NAT-PT (prefix
translation) at the perimeter. That's not even a hard question.

Re: Requirements for IPv6 Firewalls Matthew Kaufman (Apr 18)
While you're at it, the document can explain to admins who have been burned, often more than once, by the pain of
re-numbering internal services at static addresses how IPv6 without NAT will magically solve this problem.

Matthew Kaufman

(Sent from my iPhone)

Re: Requirements for IPv6 Firewalls Brandon Ross (Apr 17)
And I not only agree with Sander, but would also argue for a definitive
statement in a document like this SPECIFICALLY to help educate the
enterprise networking community on how to implement a secure border for
IPv6 without the need for NAT. Having a document to point at that has
been blessed by the IETF/community is key to helping recover the
end-to-end principle. Such a document may or may not be totally in scope
for a...

Re: Requirements for IPv6 Firewalls Fernando Gont (Apr 17)
I cannot speak for that, unfortunately. But I can tell you that the
reason for which we posted a note on this list regarding our I-D is
because your feedback does matter to us (us == at least the co-authors
of this document)


Best regards,

Re: Requirements for IPv6 Firewalls Mark Andrews (Apr 17)
In message <53504C18.7050406 () matthew at>, Matthew Kaufman writes:

NAT from a firewall perspective is "default deny in". As far as I
can tell no one is arguing that a firewall should not support that.

Now mangling the addresses and ports is not a firewall's job. Its
never has been a firewall's job. That is what a NAT box does.

Now sometimes a NAT and Firewall are implemented in the same
hardware and people fail...

More Lists

Dozens of other network security lists are archived at SecLists.Org.

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]