mapping public to private IPv6 networks when firewalling

Michael Sinatra michael at
Wed Nov 23 22:45:22 CET 2011

On 11/23/11 13:23, Eugen Leitl wrote:
> The SOP for firewalling in IPv4 is to use
> private (RFC 1918) networks and map external public
> networks 1:1 to them.

No it's not.  It's one of several possible (and rather common) 
practices, including many-to-one NAT, stateful bridging firewall and a 
firewalling router.  It's not "the SOP" and I'd say that there is no SOP.

> The idea is that defaults to
> unreachable systems in case of firewall failure.

In the case of a 1:1 NAT firewall, what if the failure mode is that 
someone accidentally places a 'permit any any' rule on the inbound 
direction?  The NAT functionality would still work, forwarding traffic 
to the inside.

At any rate, this exact subject was discussed quite extensively on 
NANOG.  There were at least several people who thought it was incorrect 
to say that NAT provides zero security, but who also thought it was 
incorrect to claim that one needed NAT to have security.  Which brings 
us to IPv6:

> What's the address space to use in IPv6 for such
> purposes? Is fc00::/7 (RFC 4193) unroutable on
> the public Internet in the same way as RFC 1918
> addresses?

My reading of RFC 4193 and the debates surrounding it is that it should 
not be interpreted as the IPv6 version of RFC1918, that there is 
significant disagreement as to whether it's a good idea, and that 
filtering of the ULA prefix is not universally done.  (Remember, the 
thing that makes NAT unroutable is not magic, it's reliance and trust in 
your upstreams to filter and to not advertise RFC1918 addresses.)

IMO, you're almost better off keeping the IPv4 RFC1918 addresses and 
doing protocol translation at your firewall.  But maybe I am just in a 
festive holiday mood (the US Thanksgiving Holiday is starting).


More information about the ipv6-ops mailing list