Home page logo
/
nanog logo
NANOG Mailing List

The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

List Archives

JanFebMarAprMayJunJulAugSepOctNovDec
20146928991041522
20139311007824690546937545595624578509828
20121239136711786027191107891774953681879697
201117892122102980296214596058871148802976993
20101136120613051611652663813933997133910811476
2009940125455210198256277507016461105884956
20088476506057507398127507961027536628716
20078064575056937626525427645721023355299
2006691674660448403552379551630567310327
200582461991512047906321075104810851237769593
2004852100411828917851220752770848537999768
20031099692986875676683633152915791527757675
2002468533556737117197911231097815714735575
2001108894910528221145105680011501956857518382
2000468684338498539617716497634323651550
1999436304372340271227244312246447326438
19984046334315768627962856297541063967402
19977205075764867966131120525608589843342
19963642132754962902333493339031099373290
1995947419126717125150253251210391140
199416144593349116845452

Latest Posts

Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 18)
On Thu, Apr 17, 2014 at 11:45 PM, George Herbert
<george.herbert () gmail com>wrote:

That's why you have gazzilions of IP addresses in IPv6, so you don't need
to NAT anything (among other things). I don't understand why people cling
to NAT stuff when you can just route.

You treat IPv6 like the only protocol running and design the implementation
taking that into consideration. Where necessary you publish AAAA records
and so...

Re: Requirements for IPv6 Firewalls Seth Mos (Apr 18)
Sounds good in theory, I tried it but it got ugly really fast. Before
you know it you have a layers of obfuscation, and even more work to get
it to work right. That's really not a good argument for the general IPv6
case.

Then there's the issue of making not just hosts do address selection but
bringing that down to making applications choose address selection. As a
admin I really don't want to go there. I just want a central point...

Re: Requirements for IPv6 Firewalls Matt Palmer (Apr 18)
Why use NAT-PT in that instance? Since IPv6 interfaces are happy running
with multiple addresses, the machines can have their publically-accessable
address and also their ULA address, with internal services binding to (and
referring to, via DNS, et al) the ULA address; when you change providers,
the publically-accessable address changes (whoopee!), but the internal
service address doesn't.

- Matt

Re: Requirements for IPv6 Firewalls Seth Mos (Apr 18)
Op 17 apr. 2014, om 20:50 heeft William Herrin <bill () herrin us> het volgende geschreven:

Having deployed IPv6 at the internet point and halfway into the company I work for I can tell you that I am *really*
glad that I can now see what a firewall rule does properly instead of also having to peer at the NAT table which is 1:1
or a port forward etc. Also, when IPv4 NAT and rules don’t match up, hilarity ensues.

It greatly improves my...

Internap Contact? Carlos Kamtha (Apr 18)
Hello,

I was wondering if anyone can recommend a good contact at Internap
to discuss thier anycast services.

Please contact me directly. Any help is greatly appreciated..

Cheers,

Carlos.

Re: Requirements for IPv6 Firewalls Matthew Kaufman (Apr 18)
I think I got you to say "NAT"

Matthew Kaufman

(Sent from my iPhone)

Re: Thank you Comcast Doug Barton (Apr 18)
Please don't reply to a message on the list and change the subject line.
Doing so causes your new topic to show "under" the previous one for
those using mail readers that thread properly, and may cause your
message to be missed altogether if someone has blocked that thread.

Instead, save the list address and start a completely new message.

hope this helps,

Doug

Re: Thank you Comcast Mehmet Akcin (Apr 18)
+ Redmond, WA. Good job guys.

mehmet

Re: Requirements for IPv6 Firewalls Brandon Ross (Apr 18)
Until you responded, Timothy, I didn't realize that Matthew was being
sarcastic.

Thank you Comcast Michael T. Voity (Apr 18)
To the Comcast v6 Team,

Thank you for enabling my CMTS for v6 in Colchester, VT

Works great!

Thanks,

-Mike

Michael T. Voity
Network Engineer
University of Vermont

Re: Requirements for IPv6 Firewalls Timothy Morizot (Apr 18)
burned, often more than once, by the pain of re-numbering internal services
at static addresses how IPv6 without NAT will magically solve this problem.

If you're worried about that issue, either get your own end user
assignment(s) from ARIN or use ULA internally and employ NAT-PT (prefix
translation) at the perimeter. That's not even a hard question.

Re: Requirements for IPv6 Firewalls Matthew Kaufman (Apr 18)
While you're at it, the document can explain to admins who have been burned, often more than once, by the pain of
re-numbering internal services at static addresses how IPv6 without NAT will magically solve this problem.

Matthew Kaufman

(Sent from my iPhone)

Re: Requirements for IPv6 Firewalls Brandon Ross (Apr 17)
And I not only agree with Sander, but would also argue for a definitive
statement in a document like this SPECIFICALLY to help educate the
enterprise networking community on how to implement a secure border for
IPv6 without the need for NAT. Having a document to point at that has
been blessed by the IETF/community is key to helping recover the
end-to-end principle. Such a document may or may not be totally in scope
for a...

Re: Requirements for IPv6 Firewalls Fernando Gont (Apr 17)
I cannot speak for that, unfortunately. But I can tell you that the
reason for which we posted a note on this list regarding our I-D is
because your feedback does matter to us (us == at least the co-authors
of this document)

Thanks!

Best regards,

Re: Requirements for IPv6 Firewalls Mark Andrews (Apr 17)
In message <53504C18.7050406 () matthew at>, Matthew Kaufman writes:

NAT from a firewall perspective is "default deny in". As far as I
can tell no one is arguing that a firewall should not support that.

Now mangling the addresses and ports is not a firewall's job. Its
never has been a firewall's job. That is what a NAT box does.

Now sometimes a NAT and Firewall are implemented in the same
hardware and people fail...

More Lists

Dozens of other network security lists are archived at SecLists.Org.


[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]