> > > Hi Chris, > > On Oct 25, 2010, at 11:02 AM, Chris Engel wrote: > > The flavor of NAT66 being proposed here wouldn't even cover it.... > > since we would want something statefull that supports both 1:1 and > > many:1 translations as well as Port Translations and has > some built > > in level of blocking Inbound traffic (i.e. exactly what we have in > > IPv4 NAT now). > > Do you think that what you want could be provided by NAT66 coupled > with a stateful firewall? Or is there something more that you would > need? > > It sounds like the many:1 translation might be missing... What is > that used for? >
Margaret, unfortunately NAT66 coupled with an SI firewall...although a decent architecture doesn't quite cut it for us. We use both static (1:1) and dynamic (many:1) NAT as well as port translation (i.e. port 80 on public IP = port 43480 on private IP, etc). This gives us alot of versatility in customizing our internal architecture and abstracting it from our external presence. We use many:1 NAT for connections that we KNOW and purposefully INTEND connectivity only be one way (mainly end user workstations, etc). That way an external source has no way of even addressing the device unless an entry exists for it in the boundary devices state table (i.e. an OUTGOING connection has already been established). Thus even if the FW rule is removed (due to misconfiguration or otherwise).... There is SOME measure of protection against external connections...Multiple Layers instead of just one. Furthermore, it complicates, at least on the network level tracking and profiling individual devices (even though that capability might exist at higher levels). Port Translation is also an important function for us....so that we can present a single public IP address as say an SMTP and and HTTP server...and have different devices handle providing that service without needing to run some sort of load balancing hardware or renumbering IP's internaly. Maybe I'm just ignorant but I'm not even sure how compatible Load Balancing and High Availability is with the principle of End to End transparency being espoused by some folks here. The scenerios I've always experienced work something like this..... 1) You have 1 DNS entry for your Load Balanced/HA Application. Entry points to 1 Public Address. 2) Your load balancer acts as a proxy for that public IP...farms it out to the individual devices responsible for delivering that service based upon whatever algorthym you specify for it. 3) Client Application has no knowledge that it's communication is with Device A rather then Device B....as far as it's concerned everything is going to the 1 public IP. Seems to me that functionality which many service providers depend on runs pretty much countrary to the e2e transparency that some folks here are contending is neccesary for the growth of the internet. > > However, the flavor of NAT66 being proposed here will go a long way > > toward helping SOME organizations consider adoption of > IPv6. Stating > > that deploying FW packet filtering rules which default to closed, > > isn't spreading FUD about IPv6... it's helping address some of the > > real security concerns that organizations and individuals > have about > > IPv6 adoption. Note that those SAME rules generaly existed by > > default as a best practice in IPv4 world... with deprication of > > statefull many:1 NAT...many organizations are actualy LOOSING a > > layer of protection here.... some of which (including mine) > consider > > that in itself a barrier to adoption of IPv6. > > > It is my impression that you can achieve that same level of > protection > from a stateful IPv6 firewall as you would from an IPv4 NAT. Does > that match your experience? > > Margaret > > > Christopher Engel Network Infrastructure Manager SponsorDirect [email protected] www.SponsorDirect.com p(914) 729-7218 f (914) 729-7201 _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
