On Mon, Jun 04, 2007, Iljitsch van Beijnum wrote:
On 4-jun-2007, at 17:37, Donald Stahl wrote:
I want NAT to die but I think it won't.
Far too many "security" folks are dictating actual implementation details and that's fundamentally wrong.
A security policy should read "no external access to the network" and it should be up to the network/firewall folks to determine how best to make that happen. Unfortunately many security policies go so far as to explicitly require NAT.
Don't forget that the reason NAT works to the degree that it does today is because of all the workarounds in applications or protocol- specific workarounds in the NATs (ALGs). In IPv6, you don't have any of this stuff, so IPv6 NAT gets you nowhere fast with any protocol that does more than something HTTP-like. (Yes, I've tried it.)
Won't stateful firewalls have similar issues? Ie, if you craft a stateful firewall to allow an office to have real IPv6 addresses but not to allow arbitrary connections in/out (ie, the "stateful" bit), won't said stateful require protocol tracking modules with similar (but not -as-) complexity to the existing NAT modules? Adrian