mapping public to private IPv6 networks when firewalling

Fri Nov 25 08:19:27 CET 2011

On Thu, Nov 24, 2011 at 03:55:46PM -0800, Doug Barton wrote:
> On 11/24/2011 01:20, Eugen Leitl wrote:
> > On Thu, Nov 24, 2011 at 08:44:42AM +0100, Seth Mos wrote:
> >> On 23-11-2011 22:23, Eugen Leitl wrote:
> >>>
> >>> What's the address space to use in IPv6 for such
> >>> purposes? Is fc00::/7 (RFC 4193) unroutable on
> >>> the public Internet in the same way as RFC 1918
> >>> addresses?
> > 
> > I'm Cc: this to pfsense as the thread will likely move
> > to pfSense/FreeBSD specifics.
> >  
> >> Yes, you can, but you need NPtv6 to get out. That's the new term for 1:1
> >> NAT and basically maps the 1st 64 (or larger) GUA bits from upstream
> >> onto your 1st 64 bits of your inside prefix.
> >>
> >> And as mentioned elsewhere in the thread this has nothing to do with the
> >> firewalling. If you don't put a deny incoming traffic rule on your
> >> outside then traffic will happily flow in and out of the network.
> > 
> > But if the firewall fails to open state, the traffic will stop at the 
> > next router, and will not propagate across the wider Internet as the 
> > fc00::/7 addresses will not be routed beyond that, correct?
> 
> I think you're confusing different aspects of networking here. If the
> firewall fails open there is nothing to stop incoming packets from
> reaching their destination.

If the entity doing the address mapping is out of the loop the
addresses of the targets flip from public IPs to private
IPs. Then they shouldn't propagate until the next correctly
configured router (or L3 switch -- I think I'll do some
testing here, how far within the network I'll come with
firewall/router bypassed).

> > Unrelated to that, is the procedure for IPv4 still the same
> > (mapping e.g. a public /24 to a private /24 1:1) or has this also
> > changed?
> 
> You keep saying things like, "the procedure" even though several really
> smart people have told you that there isn't just one. :)

You notice I omitted the "standard operating" part ;)

> I suspect that the model of "ULA on the inside network and 6296 at the
> border" is going to be a very common scenario for people who want to
> avoid "the pain of renumbering," or who still mistakenly believe that

Yes, if I have several hundred hosts on the inside which are all
bound to particular IPv4 or IPv6 addresses and ports moving them
to a different environment will be extremely hard -- I'm having
that problem with some 10 virtual guests run by people which
are not necessarily easily reachable, and have to renumber these. 
I'd rather avoid that.

> NAT is a security tool. In any case, that method will work essentially

I never said that I believed NAT (which typically means hiding
a network behind a single address, not mapping networks 1:1
with no other network traffic filtering unless explicitly
specified) was adding more than a minor additional security
layer.

> the same way that your 1:1 NAT for IPv4 is working for you now.

-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE