In message <38465846B6383D4A8688C0A13971900C48DC4AFA@ge2eml2k1004>, Marco Ermini writes:
> On residential routers, the myth that IPv6 will come and solve all of the > NAT problems is, and allow ubiquitous and secure access to all the > devices is, in fact, a myth. IPv6 breaks protocols as much (if not more) > than IPv4 NAT. The most used residential routers in Germany (and proudly > German engineered product) requires advanced view enabled just to enable > it; it provides ULAs via DHCPv6, and performs translation to routable > IPv6 addresses. While IPv4 NAT needs to perform stateful translation of > IPs and ports, residential routers on IPv6 only translate IPs but that > is not improving a lot. This sounds like the ISP or CPE vendor has not listened to +15 years of advice on how to deploy IPv6. You should be getting a prefix delegation from the ISP which is then redistributed to the inside network. The PD should be at least a /56 and preferably a /48. The prefix delegation can be delivered via 6RD if there isn't native IPv6. ULA is a additional prefix that provides stable internal addressing. NAT66 is not recommended and has even published several RFC that states exactly that opinion. RFC6296 For reasons discussed in [RFC2993] and Section 5, the IETF does not recommend the use of Network Address Translation technology for IPv6. Where translation is implemented, however, this specification provides a mechanism that has fewer architectural problems than merely implementing a traditional stateful Network Address Translator in an IPv6 environment. It also provides a useful alternative to the complexities and costs imposed by multihoming using provider- independent addressing and the routing and network management issues of overlaid ISP address space. Some problems remain, however. The reader should consider the alternatives suggested in [RFC4864] and the considerations of [RFC5902] for improved approaches. If someone thinks NAT66 provides any effective security they need their head read. Internal addresses leak all over the place and once you have one all the internal machines are addressable. The only thing NAT66 provides is the ability to have a single IPv6 address per machine vs multiple IPv6 address internally which comes at a cost of requiring external equipement to be able to determine the effective GUA the machine has and more complicated software at the application level to work around the NAT. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
