On Mar 24, 2014, at 8:52 PM, George Herbert <george.herbert@gmail.com> wrote:
On Mon, Mar 24, 2014 at 8:02 PM, Owen DeLong <owen@delong.com> wrote:
On Mar 24, 2014, at 9:21 AM, William Herrin <bill@herrin.us> wrote:
On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve <SNaslund@medline.com> wrote:
I am not sure I agree with the basic premise here. NAT or Private addressing does not equal security.
Hi Steve,
It is your privilege to believe this and to practice it in the networks you operate.
Many of the folks you would have deploy IPv6 do not agree. They take comfort in the mathematical impossibility of addressing an internal host from an outside packet that is not part of an ongoing session. These folks find that address-overloaded NAT provides a valuable additional layer of security.
Which impossibility has been disproven multiple times.
Some folks WANT to segregate their networks from the Internet via a general-protocol transparent proxy. They've had this capability with IPv4 for 20 years. IPv6 poorly addresses their requirement.
Actually, there are multiple implementations of transparent proxies available for IPv6. NAT isn’t the same thing at all.
If you want to make your life difficult in IPv6, you can. Nobody prevents you from doing so. It is discouraged and non-sensical, but quite possible at this point.
Owen
Right. fc00::/7 exists. If you want to emulate your internal use of 10.0.0.0/8 plus NAT (or, proxies or load balancers or whatever) in your IPv6 implementation go ahead. Putting in some robust filtering that if the fc00::/7 ever appears outside the internal gateway the traffic goes poof should be as easy as the equivalents for 10, 172.16, 192.168 …
More accurately fd00::/8. fc00::/8 was reserved for ULA coordinated which failed to gain consensus. While IETF did set aside the /7, only fd00::/8 has a legitimate documented purpose. Owen