mapping public to private IPv6 networks when firewalling

[Michael Sinatra]

On 11/23/11 14:17, Cameron Byrne wrote:

> Michael,
>
> I largely agree with your opinions.  Ipv6 should be a good opportunity
> to move back to the e2e principle and a focus shift from stateful
> middlebox security controls to host based controls.
>
> But at some point, we are going to have to concede that there is no one
> right way to deploy ipv6, just like there is no one right way to deploy
> ipv4.
>
> If people come to this list looking for help in deploying ipv6, we
> should focus on listening to their questions and providing answers
> without judging their sop.
>
> Otherwise, ipv6 operators will continue to look like a bunch or
> irrelevant and clubby zealots who are constantly spouting out holier
> than thou sermons about the one true path.
>
> Not that that is what you have done, but as soon as I saw the initial
> post, I braced myself.

To be clear, I wasn't arguing that overloaded NAT (what vendors call 
"PAT") for IPv6 shouldn't be used in any circumstance.  It's true that 
it is important to me that IPv6 allows for end-to-end connectivity whose 
security model is defined by the user/administrator and not the 
technology.  But that's important *to me*.  I realize that others may 
not share that view.

What I found worth responding to was the OP's notion that 1:1 NAT should 
be regarded as a security measure, and therefore, as a SOP, because it 
tends to "fail open" (as in a circuit, not a door).  This is never 100% 
true, even with many-to-one NAT/PAT, but it's certainly not true with 
1:1 NAT; instead, it's only slightly more so than a standard stateful 
firewall.  In practice, it's not clear how likely are the corner-case 
failure modes where a 1:1 NAT will continue to protect and a stateful 
firewall with globally-routable addresses won't.

In other words, the problem is not NAT, it's the notion that 1:1 NAT is 
a SOP because it fails open, when, in most cases, it clearly doesn't.

michael