mapping public to private IPv6 networks when firewalling

Doug Barton dougb at dougbarton.us
Fri Nov 25 00:55:46 CET 2011


On 11/24/2011 01:20, Eugen Leitl wrote:
> On Thu, Nov 24, 2011 at 08:44:42AM +0100, Seth Mos wrote:
>> On 23-11-2011 22:23, Eugen Leitl wrote:
>>>
>>> What's the address space to use in IPv6 for such
>>> purposes? Is fc00::/7 (RFC 4193) unroutable on
>>> the public Internet in the same way as RFC 1918
>>> addresses?
> 
> I'm Cc: this to pfsense as the thread will likely move
> to pfSense/FreeBSD specifics.
>  
>> Yes, you can, but you need NPtv6 to get out. That's the new term for 1:1
>> NAT and basically maps the 1st 64 (or larger) GUA bits from upstream
>> onto your 1st 64 bits of your inside prefix.
>>
>> And as mentioned elsewhere in the thread this has nothing to do with the
>> firewalling. If you don't put a deny incoming traffic rule on your
>> outside then traffic will happily flow in and out of the network.
> 
> But if the firewall fails to open state, the traffic will stop at the 
> next router, and will not propagate across the wider Internet as the 
> fc00::/7 addresses will not be routed beyond that, correct?

I think you're confusing different aspects of networking here. If the
firewall fails open there is nothing to stop incoming packets from
reaching their destination.

> Unrelated to that, is the procedure for IPv4 still the same
> (mapping e.g. a public /24 to a private /24 1:1) or has this also
> changed?

You keep saying things like, "the procedure" even though several really
smart people have told you that there isn't just one. :)

I suspect that the model of "ULA on the inside network and 6296 at the
border" is going to be a very common scenario for people who want to
avoid "the pain of renumbering," or who still mistakenly believe that
NAT is a security tool. In any case, that method will work essentially
the same way that your 1:1 NAT for IPv4 is working for you now.


Doug

-- 

		"We could put the whole Internet into a book."
		"Too practical."

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/



More information about the ipv6-ops mailing list