[arin-ppml] The definitive solution to NAT security layers in IPv6

[michael.dillon at bt.com]

> Adding a door with a key is like adding a firewall. You can 
> no walk packets freely in and out of the network.
> 
> The addition of a "pneumatic closer" is consistent with any 
> stateful firewall. Unlike a basic packet filter, the stateful 
> firewall pulls the door closed behind the permitted transport 
> sessions, denying other packets.

Seems to me that the essence of the IPv4 multilayer defense is to
have one box that is a firewall and another box that is a NAT
device.

In IPv6, it is entirely possible that the stateful inspection function
of the IPv4 NAT device, would be incorporated into the IPv6 gateway
device which handles the demarcation between ISP and end user network.

The specs for these customer edge routers are currently under
discussion in the IETF's v6ops working group here:
<http://datatracker.ietf.org/doc/draft-ietf-v6ops-ipv6-cpe-router/>

May I suggest that this discussion should move to v6ops where
they would welcome input from people experienced in network
operations.

Seems to me that this has nothing much to do with ARIN policy,
at least not until v6ops has issues their RFC.

Also, please note that NAT means network address translation
and strictly speaking, it is possible to implement network 
address translation in such a way that it fails wide open
to the outside world. In the IPv6 world, it is likely that
there will be some form of network address translation but
it would be dangerous to assume that IPv6 NAT will have all
of the same characteristics of IPv4 NAT.

--Michael Dillon