mapping public to private IPv6 networks when firewalling

Cameron Byrne cb.list6 at gmail.com
Wed Nov 23 23:17:10 CET 2011


On Nov 23, 2011 1:45 PM, "Michael Sinatra" <michael at rancid.berkeley.edu>
wrote:
>
> On 11/23/11 13:23, Eugen Leitl wrote:
>>
>>
>> The SOP for firewalling in IPv4 is to use
>> private (RFC 1918) networks and map external public
>> networks 1:1 to them.
>
>
> No it's not.  It's one of several possible (and rather common) practices,
including many-to-one NAT, stateful bridging firewall and a firewalling
router.  It's not "the SOP" and I'd say that there is no SOP.
>
>
>> The idea is that defaults to
>> unreachable systems in case of firewall failure.
>
>
> In the case of a 1:1 NAT firewall, what if the failure mode is that
someone accidentally places a 'permit any any' rule on the inbound
direction?  The NAT functionality would still work, forwarding traffic to
the inside.
>
> At any rate, this exact subject was discussed quite extensively on NANOG.
 There were at least several people who thought it was incorrect to say
that NAT provides zero security, but who also thought it was incorrect to
claim that one needed NAT to have security.  Which brings us to IPv6:
>
>
>> What's the address space to use in IPv6 for such
>> purposes? Is fc00::/7 (RFC 4193) unroutable on
>> the public Internet in the same way as RFC 1918
>> addresses?
>
>
> My reading of RFC 4193 and the debates surrounding it is that it should
not be interpreted as the IPv6 version of RFC1918, that there is
significant disagreement as to whether it's a good idea, and that filtering
of the ULA prefix is not universally done.  (Remember, the thing that makes
NAT unroutable is not magic, it's reliance and trust in your upstreams to
filter and to not advertise RFC1918 addresses.)
>
> IMO, you're almost better off keeping the IPv4 RFC1918 addresses and
doing protocol translation at your firewall.  But maybe I am just in a
festive holiday mood (the US Thanksgiving Holiday is starting).
>
> michael

Michael,

I largely agree with your opinions.  Ipv6 should be a good opportunity to
move back to the e2e principle and a focus shift from stateful middlebox
security controls to host based controls.

But at some point, we are going to have to concede that there is no one
right way to deploy ipv6, just like there is no one right way to deploy
ipv4.

If people come to this list looking for help in deploying ipv6, we should
focus on listening to their questions and providing answers without judging
their sop.

Otherwise, ipv6 operators will continue to look like a bunch or irrelevant
and clubby zealots who are constantly spouting out holier than thou sermons
about the one true path.

Not that that is what you have done, but as soon as I saw the initial post,
I braced myself.

Cb
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cluenet.de/pipermail/ipv6-ops/attachments/20111123/5ec088b6/attachment.htm>


More information about the ipv6-ops mailing list