Re: [fw-wiz] IPv6 support in firewalls

Patrick M. Hausen wrote:
Yes, I think "official" registered address space for every
single node, PC, mobile phone, fridge, coffee machine, ... _is_
the ultimate goal and one of the major reasons to deploy IPv6.

For us it is a major reason for not deploying IPv6. We don't want
to enable inbound connections or maintain (more complex) firewall

Every time I hear this sentiment of late it reminds me of another ILEC
astroturfing attempt, against net neutrality ATT (and DT) would _love_ to
own all your addresses, and charge for them, and force you to use their
devices to connect as they do with cell phones, and make it difficult to
move. For these reasons alone IPv6 is a consumer's nightmare.

First you should not rely on NAT as a security measure, anyway,
because it isn't.

Enough straw man arguments... Nobody's suggesting relying on NAT
for security, even though, in the standard implementation, it does a
better job than any other single IPv4 feature.

Besides added complexity and worse logging capabilities. Modern
proxy firewalls with transparency appear like a router to the
protected hosts, so why not use them that way and disable NAT?

This is behind many network admin's fears of NAT i.e, that it is
complex and difficult to monitor or log. in properly implemented
networks it is neither.

Third, this is the _only_ way to get rid of the "net 10
considered harmful" nightmare that pops up over and over again
when two enterprises want to connect their internal nets in some

Having dealt with this many times all I can say is YASMA (yet
another straw man argument). NAT works just as well between
organizations that tied their internal networks to the common
RFC1918 subnets, and for the protocols (only DNS really) that
might also need translating.

IMHO theses are the combined reasons to start over and
kill NAT forever.

See <;>
for five much better reasons to keep NAT forever.

Roger Marquis
Roble Systems Consulting
firewall-wizards mailing list