[arin-ppml] IPv6 Non-connected networks

[William Herrin]

On Tue, Mar 23, 2010 at 5:04 PM, Chris Engel <cengel at sponsordirect.com> wrote:
> Owen Delong wrote:
>> Sorry, I can't figure out what particular scenario is
>> envisioned in all the missing steps there...
>
> Not trying to speak for Bill here...

Chris,

Feel free. Owen needs as much help understanding the network security
process as he can get.

> However here is where NAT comes in to help save
> your butt. You have no address mapping to any of
> those internal only devices on your firewalls
> EXTERNAL interface. So an external user has
> no way to address them. Even if that user was able
> to route a packet destined to an internal IP address
> to your Firewalls EXTERNAL interface.... that interface
> wouldn't pick it up...because as far as it's concerned
> no such IP address is bound to that interface.

Exactamundo.


> However, in this case there is no NAT, no
> "compensating control" to account for the single
> point of failure. An external user sends a packet destined
> for one of your "internal only" devices. In this case,
> since all devices use public address space...it's
> entirely addressable to that external user. The firewalls
> external interface picks up the packet... see's that it's
> allowed by the filtering rules...and passes it through
> to the destination address. Just as it thinks it's supposed to.

Another win.


> Am I wrong?

No, you're spot on.


On Tue, Mar 23, 2010 at 9:01 PM, Owen DeLong <owen at delong.com> wrote:
> On Mar 23, 2010, at 2:04 PM, Chris Engel wrote:
>> Am I wrong?
> I think you overestimate
> the value and underestimate the cost

Owen,

I wouldn't bet on it, but in this one respect you're finally talking
about a value judgment where two competent engineers can reasonably
disagree.

Regards,
Bill


-- 
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004