[arin-ppml] Set aside round deux

michael.dillon at bt.com michael.dillon at bt.com
Thu Aug 5 06:14:37 EDT 2010


> 
> With NAT, an external intruder can't compromise the web-server that my
> printer manufacturer oh so helpfully included as a feature of that
> device even IF my SI firewall is misconfigured to allow his packets
> through. He has no way of knowing the printer exists and no way of
> addressing packets to it to probe for it. He can only probe what I have
> explicitly externaly advertised through NAT.

But this is exactly what IPv6 No-Address Translation does.
There is nothing to configure in the IPv6 box. It simply does not
let any incoming packets through unless an internal box has already
sent outgoing packets. If it is TCP, then the TCP session is allowed
to work until the socket is closed. If it is UDP then a short window
of opportunity is opened for return packets.

The IPv6 No-Address Translation function does not ever translate
any addresses. It is purely about admission control to the network
based on inspection of outgoing packets. An external party cannot
probe your network for addresses which are not currently sending
packets to that party. 

I think that people are thinking of specific implementations of
stateful inspection which are part of a larger firewall product and
are optional. IPv6 NAT (No-Address Translation) should be implemented
as a non-optional part of an Internet gateway device. People who don't
want that can install a plain IPv6 router instead. 

If IPv6 NAT was implemented in this way, then I believe that it would
be far more accepted rather than people demanding that IPv4 style address
translation should be included in the device as well.

> Furthermore, the level of abstraction allows me to shift stuff around
> internaly without changing anything about the external advertisement of
> services. Thus if I want to move a particular public service from
> machine #1 to machine #2, I don't need to renumber those
> machines....and I don't need to call up Charlie, the Admin over at the
> guys using that service and say "Hey we just switched Service X from
> x.x.x.27 to x.x.x.52 make the changes on your FW so your users can get
> to the new machine we're hosting it on."  ... I just change the NAT
> mapping on my FW for those machines. That to me is incredibly usefull.

If you are going to install a firewall, then this whole discussion
of IPv6 NAT gateways does not apply to you. A firewall has far more 
features than a NAT box. We are really discussing boxes which have 
had a bit of firewall functionality (called NAT) added to them but
which do not deserve the name, "firewall". 

--Michael Dillon




More information about the ARIN-PPML mailing list