sronan, A subnet can come from the ISP (residential/small business), or business is utilizing BGP with their upstream. When V6 is in use, a firewall does not need to perform NAT, just stateful flow inspection and applying the applicable rules based on the zone and/or interface. Bill, Depending on where that rule is placed within your ACL, yes that can happen with *ANY* address family. --- All things aside, I agree with Dan that NAT was never ever designed to be a security tool. It is used because of the scarcity of public address space, and it provides a "defense" depending on how it is implemented, with minimal effort. This video tells the story of NAT and the Cisco PIX, straight from the creators https://youtu.be/GLrfqtf4txw Ryan Hamel ________________________________ From: NANOG <nanog-bounces+ryan=rkhtech.org@nanog.org> on behalf of sronan@ronan-online.com <sronan@ronan-online.com> Sent: Friday, February 16, 2024 5:44 PM To: William Herrin <bill@herrin.us> Cc: nanog@nanog.org <nanog@nanog.org> Subject: Re: IPv6 uptake (was: The Reg does 240/4) Caution: This is an external email and may be malicious. Please take care when clicking links or opening attachments. Why is your Internal v6 subnet advertised to the Internet?
On Feb 16, 2024, at 8:08 PM, William Herrin <bill@herrin.us> wrote:
On Fri, Feb 16, 2024 at 3:13 PM Michael Thomas <mike@mtcc.com> wrote:
If you know which subnets need to be NAT'd don't you also know which ones shouldn't exposed to incoming connections (or conversely, which should be permitted)? It seems to me that all you're doing is moving around where that knowledge is stored? Ie, DHCP so it can give it private address rather than at the firewall knowing which subnets not to allow access? Yes, DHCP can be easily configured to make everything private, but DHCP for static reachable addresses is pretty handy too.
Hi Mike,
Suppose I have a firewall at 2602:815:6000::1 with an internal network of 2602:815:6001::/64. Inside the network on 2602:815:6001::4 I have a switch that accepts telnet connections with a user/password of admin/admin. On the firewall, I program it to disallow all Internet packets to 2602:815:6001::/64 that are not part of an established connection.
Someone tries to telnet to 2602:815:6001::4. What happens? Blocked.
Now, I make a mistake on my firewall. I insert a rule intended to allow packets outbound from 2602:815:6001::4 but I fat-finger it and so it allows them inbound to that address instead. Someone tries to telnet to 2602:815:6001::4. What happens? Hacked.
Now suppose I have a firewall at 199.33.225.1 with an internal network of 192.168.55.0/24. Inside the network on 192.168.55.4 I have a switch that accepts telnet connections with a user/password of admin/admin. On the firewall, I program it to do NAT translation from 192.168.55.0/24 to 199.33.225.1 when sending packets outbound, which also has the effect of disallowing inbound packets to 192.168.55.0/24 which are not part of an established connection.
Someone tries to telnet to 192.168.55.4. What happens? The packet never even reaches my firewall because that IP address doesn't go anywhere on the Internet.
Now I make a mistake on my firewall. I insert a rule intended to allow packets outbound from 192.168.55.4 but I fat-finger it and so it allows them inbound to that address instead. Someone tries to telnet to 192.168.55.4. What happens? The packet STILL doesn't reach my firewall because that IP address doesn't go anywhere on the Internet.
See the difference? Accessible versus accessible and addressable. Not addressable enhances security.
Regards, Bill Herrin