Re: Pointer for documentation on actually delivering IPv6

[Joel Jaeggli <joelja () bogus com>]

On 12/6/10 6:55 AM, Jared Mauch wrote:
> On Dec 6, 2010, at 8:35 AM, Jeff Johnstone wrote:
>
> > Speaking of IPV6 security, is there any movement towards any open
> > source IPV6 firewall solutions for the consumer / small business?
> >
> > Almost all the info I've managed to find to date indicates no
> > support, nor any planned support in upcoming releases.
> >
> > Any info would be helpful.
>
> Honestly (and I'm sure some IPv6 folks will want me injured as a
> result) there should be some '1918-like' space allocated for the
> corporate guys who "don't get it", so they can nat everyone through a
> single /128.  It would make life easier for them and quite possibly
> be a large item in pushing ipv6 deployment in the enterprise.

There's literally not to prevent them from doing that today. there's a
/8 of ual-l and nat66 implementations exist.

> I don't see our corporate IT guys that number stuff in 1918 space
> wanting to put hosts on 'real' ips.  The chances for unintended
> routing are enough to make them say that v6 is actually a security
> risk vs security enabler is my suspicion.

the chances of unitended routing with overlapping rfc-1918 domains and a
bit of 2547 vpn in the mix are non trivial... Using GUA ipv6 space
there's at least some chance that I'll actually see the leak and
interpret it as such rather than wondering why my packets are going into
a black hole or being discarded as out of state becuase they come back
on a different VRF than they go out on.

> - Jared