nanog mailing list archives

Re: Requirements for IPv6 Firewalls

From: Enno Rey <erey () ernw de>
Date: Fri, 18 Apr 2014 10:14:51 +0200

Hi,

On Fri, Apr 18, 2014 at 04:57:57PM +1000, Matt Palmer wrote:

On Thu, Apr 17, 2014 at 09:05:17PM -0500, Timothy Morizot wrote:

On Apr 17, 2014 7:52 PM, "Matthew Kaufman" <matthew () matthew at> wrote:

While you're at it, the document can explain to admins who have been

burned, often more than once, by the pain of re-numbering internal services
at static addresses how IPv6 without NAT will magically solve this problem.

If you're worried about that issue, either get your own end user
assignment(s) from ARIN or use ULA internally and employ NAT-PT (prefix
translation) at the perimeter. That's not even a hard question.


Why use NAT-PT in that instance?  Since IPv6 interfaces are happy running
with multiple addresses, the machines can have their publically-accessable
address and also their ULA address, with internal services binding to (and
referring to, via DNS, et al) the ULA address


there's two problems with that approach:

a) what is "an internal service"? In a world of complex data center environments running/offering all types of services 
to various parties ($ORG's employees, business partners, customers and closed groups from customers, "public"/Internet) 
you can't make that distinction any longer. And even if you could, latest trying to reflect that distinction in your 
DNS setup will screw you. At the end of the day you'll still end up in "address selection hell".

b) from my operational experience address selection is still a "hugely unresolved problem", despite RFC 3484 and RFC 
6724. 
As long as this (problem) persists, from our perspective there's a simple recommendation/solution: "when there's a 
[continued] decision problem, just don't offer a choice". Read, in IPv6 context: "go with GUAs only and only one per 
interface".

best

Enno


-- 
Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

=======================================================
Blog: www.insinuator.net || Conference: www.troopers.de
Twitter: @Enno_Insinuator
=======================================================

Current thread:

Re: Requirements for IPv6 Firewalls, (continued)
- - - Re: Requirements for IPv6 Firewalls Brandon Ross (Apr 17)
    - Re: Requirements for IPv6 Firewalls Matthew Kaufman (Apr 17)
    - Re: Requirements for IPv6 Firewalls Timothy Morizot (Apr 17)
    - Thank you Comcast Michael T. Voity (Apr 17)
    - Re: Thank you Comcast Mehmet Akcin (Apr 17)
    - Re: Thank you Comcast Doug Barton (Apr 17)
    - Re: Requirements for IPv6 Firewalls Brandon Ross (Apr 17)
    - Re: Requirements for IPv6 Firewalls Matthew Kaufman (Apr 17)
    - Re: Requirements for IPv6 Firewalls Matt Palmer (Apr 18)
    - Re: Requirements for IPv6 Firewalls Seth Mos (Apr 18)
    - Re: Requirements for IPv6 Firewalls Enno Rey (Apr 18)
    - Re: Requirements for IPv6 Firewalls Nick Hilliard (Apr 18)
    - Re: Requirements for IPv6 Firewalls Lee Howard (Apr 18)
    - Re: Requirements for IPv6 Firewalls Fernando Gont (Apr 21)
    - Re: Requirements for IPv6 Firewalls Brandon Ross (Apr 21)
    - Re: Requirements for IPv6 Firewalls Enno Rey (Apr 18)
    - Re: Requirements for IPv6 Firewalls Doug Barton (Apr 18)
    - Re: Requirements for IPv6 Firewalls Enno Rey (Apr 18)
    - Re: Requirements for IPv6 Firewalls Doug Barton (Apr 19)
  - Re: Requirements for IPv6 Firewalls Lee Howard (Apr 18)
    - Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)

(Thread continues...)