In message <[email protected]>, Owen DeLong write s: > > On Mar 24, 2014, at 8:52 PM, George Herbert <[email protected]> > wrote: > > > > > > > > > On Mon, Mar 24, 2014 at 8:02 PM, Owen DeLong <[email protected]> wrote: > > > > On Mar 24, 2014, at 9:21 AM, William Herrin <[email protected]> wrote: > > > > > On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve > <[email protected]> wrote: > > >> I am not sure I agree with the basic premise here. NAT or Private > > >> addressing does not equal security. > > > > > > Hi Steve, > > > > > > It is your privilege to believe this and to practice it in the > > > networks you operate. > > > > > > Many of the folks you would have deploy IPv6 do not agree. They take > > > comfort in the mathematical impossibility of addressing an internal > > > host from an outside packet that is not part of an ongoing session. > > > These folks find that address-overloaded NAT provides a valuable > > > additional layer of security. > > > > Which impossibility has been disproven multiple times. > > > > > Some folks WANT to segregate their networks from the Internet via a > > > general-protocol transparent proxy. They've had this capability with > > > IPv4 for 20 years. IPv6 poorly addresses their requirement. > > > > Actually, there are multiple implementations of transparent proxies > > available for IPv6. NAT isn't the same thing at all. > > > > If you want to make your life difficult in IPv6, you can. Nobody > > prevents you from doing so. It is discouraged and non-sensical, > > but quite possible at this point. > > > > Owen > > > > > > > > Right. fc00::/7 exists. If you want to emulate your internal use of > > 10.0.0.0/8 plus NAT (or, proxies or load balancers or whatever) in your > > IPv6 implementation go ahead. Putting in some robust filtering that if > > the fc00::/7 ever appears outside the internal gateway the traffic goes > > poof should be as easy as the equivalents for 10, 172.16, 192.168 ... > > > More accurately fd00::/8. fc00::/8 was reserved for ULA coordinated which > failed to gain consensus. While IETF did set aside the /7, only fd00::/8 > has a legitimate documented purpose.
And if you are going to filter fc00::/7 is more future proof. > Owen -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected]
