On Fri, Apr 18, 2014 at 3:31 AM, Eugeniu Patrascu <eugen@imacandi.net> wrote:
On Thu, Apr 17, 2014 at 11:45 PM, George Herbert <george.herbert@gmail.com> wrote:
You are missing the point.
Granted, anyone who is IPv6 aware doing a green-field enterprise firewall design today should probably choose another way than NAT.
That's why you have gazzilions of IP addresses in IPv6, so you don't need to NAT anything (among other things). I don't understand why people cling to NAT stuff when you can just route.
Hi Eugeniu, That's correct: you don't understand. Until you do, just accept: there are more than a few folks who want to, intend to and will use NAT for IPv6. They will wait until NAT is available in their preferred products before making any significant deployment efforts. The main drivers behind the desire for NAT in IPv6 you've heard before, but I'll repeat them for the sake of clarity: 1. Easier to manage the network if the IPv4 and IPv6 versions are identical but for the IP addresses. Would've been even easier if the IP addresses were identical too, but that ship sailed more than a decade ago. 2. Risk management - developing a new operating posture for a new protocol is high risk. Translating the existing posture is lower risk. In most places the existing posture includes extensive NAT. The number of IPv4 networks in which no NAT is employed is vanishingly small. 3. Renumbering - works about as well in IPv6 as in IPv4, which is to say badly. And doubling down on the addresses assigned to hosts is still half baked -- a worthwhile idea but needs more time in the kitchen. 4. Defense in depth is a core principle of all security, network and physical. If you don't practice it, your security is weak. Equipment which is not externally addressable (due to address-overloaded NAT) has an additional obstruction an adversary must bypass versus an identical system where the equipment is externally addressable (1:1 NAT, static port translation and simple routing). This constrains the kinds of attacks an adversary may employ. Feel free to refute all four points. No doubt you have arguments you personally find compelling. Your arguments will fall on deaf ears. At best the arguments propose theory that runs contrary to decades of many folks' experience. More likely the arguments are simply wrong. Either way, you need NAT in the firewall products or you need some miracle application, the desire for which compels folks to move past the rationale above. Do you see the latter happening any time soon? Neither do I. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004