[arin-ppml] The role of NAT in IPv6

Michael Richardson mcr at sandelman.ca
Sun Apr 18 12:39:06 EDT 2010

Hash: SHA1

>>>>> "michael" == michael dillon <michael.dillon at bt.com> writes:
    >> I deployed IPv4 NAT back in 1996 (or earlier, I forget) in a
    >> production environment.  The way I did it - and the ONLY way that
    >> ANYONE could do it at that time - was by applying a very large,
    >> convoluted set of patches to the FreeBSD 3 kernel and compiling
    >> the nat daemon.

    michael> At that time I was running TIS firewalls toolkit on a
    michael> FreeBSD 2 system. It was not NAT, but to the outside world,
    michael> the application layer proxies did present multiple machines
    michael> inside the network on a single IP address, just like NAT
    michael> did. And an external machine could not pass packets to an
    michael> internal one, unless a proxy was specifically configured to
    michael> allow it, just like on a NAT box.

  Between 1994 and 1996 (when I left), I shipped hundreds of Milkyway
Blackhole firewalls.   In their default configuration, they did
transparent proxy via application layer firewalling, which effectively
is NAPT, but it occurs at layer-5+.

  We had a configuration we called "Whitehole", which essentially was
application layer firewall, but it revealed the internal IPs. Or more
precisely, it was 1:1 NAT, with an identity function for the mapping.
(All of the protection, none of the calories...)
  Of course, you could mix and match what you wanted, on a per-rule basis.

  My opinion is that it was all a mistake from a security point of view
- --- what we (the firewall industry) did was permit microsoft to ship
win95 with major bugs, many of which are still not fixed. (Many are
considered "features") 

  A significant number of (technical) people have never actually been on
the "bare" Internet...  You can see them at ARIN, NANOG or IETF meetings
- --- those are the people re-installing their laptop system in the
"terminal room". 

  NAPT has been a major negative --- it causes networks to be too
complex to manage, and many PHBs can't understand it at all.

- -- 
]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
	               then sign the petition. 

Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Finger me for keys


More information about the ARIN-PPML mailing list