mapping public to private IPv6 networks when firewalling
Michael Sinatra
michael at rancid.berkeley.edu
Tue Nov 29 16:13:56 CET 2011
On 11/23/11 14:17, Cameron Byrne wrote:
> Michael,
>
> I largely agree with your opinions. Ipv6 should be a good opportunity
> to move back to the e2e principle and a focus shift from stateful
> middlebox security controls to host based controls.
>
> But at some point, we are going to have to concede that there is no one
> right way to deploy ipv6, just like there is no one right way to deploy
> ipv4.
>
> If people come to this list looking for help in deploying ipv6, we
> should focus on listening to their questions and providing answers
> without judging their sop.
>
> Otherwise, ipv6 operators will continue to look like a bunch or
> irrelevant and clubby zealots who are constantly spouting out holier
> than thou sermons about the one true path.
>
> Not that that is what you have done, but as soon as I saw the initial
> post, I braced myself.
To be clear, I wasn't arguing that overloaded NAT (what vendors call
"PAT") for IPv6 shouldn't be used in any circumstance. It's true that
it is important to me that IPv6 allows for end-to-end connectivity whose
security model is defined by the user/administrator and not the
technology. But that's important *to me*. I realize that others may
not share that view.
What I found worth responding to was the OP's notion that 1:1 NAT should
be regarded as a security measure, and therefore, as a SOP, because it
tends to "fail open" (as in a circuit, not a door). This is never 100%
true, even with many-to-one NAT/PAT, but it's certainly not true with
1:1 NAT; instead, it's only slightly more so than a standard stateful
firewall. In practice, it's not clear how likely are the corner-case
failure modes where a 1:1 NAT will continue to protect and a stateful
firewall with globally-routable addresses won't.
In other words, the problem is not NAT, it's the notion that 1:1 NAT is
a SOP because it fails open, when, in most cases, it clearly doesn't.
michael
More information about the ipv6-ops
mailing list