home bbs files messages ]

Just a sample of the Echomail archive

Cooperative anarchy at its finest, still active today. Darkrealms is the Zone 1 Hub.

   IPV6      The convoluted hot-mess that is IPV6      4,612 messages   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]

   Message 2,693 of 4,612   
   Victor Sudakov to Markus Reschke   
   NAT   
   27 Jan 19 15:08:18   
   
   Dear Markus,   
      
   26 Jan 19 16:26, you wrote to me:   
      
    VS>> The security guidelines I have read don't specify "NAT must be   
    VS>> used." They specify "RFC1918 addresses must be used in the   
    VS>> internal network."   
      
    MR> For IPv6 they could use ULA (RFC4193). ;)   
      
   Good point. Thank you. Maybe fc00::/7 has a chance of becoming the new   
   192.168/16.   
      
    VS>> A static NAT has limited usage and indeed does not provide much   
    VS>> additional security. But the dynamic NAT and especially PAT   
    VS>> provide a very important security feature no packet filter   
    VS>> provides: they *hide* the *source* *addresses* of internal hosts   
    VS>> thus effectively hiding the network structure from outsiders.   
      
    MR> And some dumbass enables UPnP on the firewall/router. >:)   
      
   I don't think enterprise-class firewalls have UPnP, do they?   
      
   And thinking about SOHO and home routers/firewalls, what kind of IPv6   
   connectivity are they going to have, what do you think? Those present who have   
   native IPv6 connectivity, what's your ISP's policy on assigning addresses to   
   customers?   
      
   If my ISP were going to give me one IPv6 address (a /128) or even one /64 net,   
   this would be too few for my purposes. For my current home network, I use five   
   /64s, so for me it would be a /56 at least.   
      
    MR> If an   
    MR> organization thinks that it has to hide the internal IP addresses for   
    MR> security reasons it can use NAT or proxies. Anyway, they still need   
    MR> much more than that to secure their network.   
      
    MR>>> There's also NAT for IPv6.   
      
    VS>> Never heard of that, other than DNS64/NAT64 which are for a   
    VS>> different purpose.   
      
    MR> NAT66   
      
   Interesting. Do you know of any implementations that could translate ULA   
   addresses into one global /64 pool?   
      
   Victor Sudakov, VAS4-RIPE, VAS47-RIPN   
   --- GoldED+/BSD 1.1.5-b20160322-b20160322   
    * Origin: Ulthar (2:5005/49)   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]


(c) 1994,  bbs@darkrealms.ca