Re: [fw-wiz] IPv6 support in firewalls

Patrick M. Hausen wrote:
Yes, I think "official" registered address space for every
single node, PC, mobile phone, fridge, coffee machine, ... _is_
the ultimate goal and one of the major reasons to deploy IPv6.

For us it is a major reason for not deploying IPv6. We don't want
to enable inbound connections or maintain (more complex) firewall

Every time I hear this sentiment of late it reminds me of another ILEC
astroturfing attempt, against net neutrality ATT (and DT) would _love_ to
own all your addresses, and charge for them, and force you to use their
devices to connect as they do with cell phones, and make it difficult to
move. For these reasons alone IPv6 is a consumer's nightmare.

First you should not rely on NAT as a security measure, anyway,
because it isn't.

Enough straw man arguments... Nobody's suggesting relying on NAT
for security, even though, in the standard implementation, it does a
better job than any other single IPv4 feature.

Besides added complexity and worse logging capabilities. Modern
proxy firewalls with transparency appear like a router to the
protected hosts, so why not use them that way and disable NAT?

This is behind many network admin's fears of NAT i.e, that it is
complex and difficult to monitor or log. in properly implemented
networks it is neither.

Third, this is the _only_ way to get rid of the "net 10
considered harmful" nightmare that pops up over and over again
when two enterprises want to connect their internal nets in some

Having dealt with this many times all I can say is YASMA (yet
another straw man argument). NAT works just as well between
organizations that tied their internal networks to the common
RFC1918 subnets, and for the protocols (only DNS really) that
might also need translating.

IMHO theses are the combined reasons to start over and
kill NAT forever.

See <;>
for five much better reasons to keep NAT forever.

Roger Marquis
Roble Systems Consulting
firewall-wizards mailing list

Relevant Pages

  • Re: [opensuse] Moving to IPv6
    ... other people in key postions do and have seen to it that ipv6 got invented and then implemented in all the major hardware and software by now. ... By insisting on using NAT in situations where it's not actually required you shoot yourself in the foot, because developers can not then develop the cool new things that NAT makes impossible. ... As in pretty much every other area of life, destruction is far easier than construction. ... It wouldn't bother me too much if we made it a rule that NAT was not allowed anywhere on the internet. ...
  • RE: Racoon Problem & Cisco Tunnel
    ... Internet is going to have to go there. ... IPv4, IPv6, and NAT are ... My protocol developers have a few LANs at home and we happily use NAT there. ...
  • Re: Antivirus und spybot
    ... Bei IPv4 und NAT gibt es sie nicht auf den einzelnen Endgeraeten, ... global geroutete Adressen bei IPv6. ... Der groesste Vorteil von IPv6 isz die fehlende Notwendigkeit fuer NAT. ... duer den das Internet nicht nur aus dem WWW und evt. ...
  • Re: Future of pf / firewall in FreeBSD =?UTF-8?Q?=3F=20-=20does?= =?UTF-8?Q?=20it=20have
    ... IPFilter 5 does IPv6 NAT. ... NAT66 is a specific implementation of IPv6 NAT behaviour. ... "All systems behind a stateful firewall with an appropriate rule set? ... Consider a small site with uplinks to two service providers: it can use ULA ...