mapping public to private IPv6 networks when firewalling
michael at rancid.berkeley.edu
Wed Nov 23 22:45:22 CET 2011
On 11/23/11 13:23, Eugen Leitl wrote:
> The SOP for firewalling in IPv4 is to use
> private (RFC 1918) networks and map external public
> networks 1:1 to them.
No it's not. It's one of several possible (and rather common)
practices, including many-to-one NAT, stateful bridging firewall and a
firewalling router. It's not "the SOP" and I'd say that there is no SOP.
> The idea is that defaults to
> unreachable systems in case of firewall failure.
In the case of a 1:1 NAT firewall, what if the failure mode is that
someone accidentally places a 'permit any any' rule on the inbound
direction? The NAT functionality would still work, forwarding traffic
to the inside.
At any rate, this exact subject was discussed quite extensively on
NANOG. There were at least several people who thought it was incorrect
to say that NAT provides zero security, but who also thought it was
incorrect to claim that one needed NAT to have security. Which brings
us to IPv6:
> What's the address space to use in IPv6 for such
> purposes? Is fc00::/7 (RFC 4193) unroutable on
> the public Internet in the same way as RFC 1918
My reading of RFC 4193 and the debates surrounding it is that it should
not be interpreted as the IPv6 version of RFC1918, that there is
significant disagreement as to whether it's a good idea, and that
filtering of the ULA prefix is not universally done. (Remember, the
thing that makes NAT unroutable is not magic, it's reliance and trust in
your upstreams to filter and to not advertise RFC1918 addresses.)
IMO, you're almost better off keeping the IPv4 RFC1918 addresses and
doing protocol translation at your firewall. But maybe I am just in a
festive holiday mood (the US Thanksgiving Holiday is starting).
More information about the ipv6-ops