Date: Tue, 29 Jul 2014 01:21:53 +0200 From: Mark Martinec <Mark.Martinec+freebsd@ijs.si> To: freebsd-current@freebsd.org Cc: Kevin Oberman <rkoberman@gmail.com> Subject: Re: Future of pf / firewall in FreeBSD =?UTF-8?Q?=3F=20-=20does?= =?UTF-8?Q?=20it=20have=20one=20=3F?= Message-ID: <331930d6178ebbed522e9eddff0196fc@mailbox.ijs.si> In-Reply-To: <CAN6yY1uHJn4xA-5zFr4fZez3FyXi7tT0LmhyR8yWkqG7k1A%2B=A@mail.gmail.com> References: <201407261843.s6QIhcx4008597@slippy.cwsent.com> <53D61AC6.5030305@freebsd.org> <CAN6yY1uHJn4xA-5zFr4fZez3FyXi7tT0LmhyR8yWkqG7k1A%2B=A@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
> On Mon, Jul 28, 2014 at 2:41 AM, Darren Reed <darrenr@freebsd.org> > wrote: >> [...] >> IPFilter 5 does IPv6 NAT. >> >> With the import of 5.1.2, map, rdr and rewrite rules will all work >> with >> IPv6 addresses. >> >> NAT66 is a specific implementation of IPv6 NAT behaviour. 2014-07-29 00:07 Kevin Oberman wrote: > And all IPv6 NAT is evil and should be cast into (demonic residence of > your > choosing) on sight! > > NAT on IPv6 serves no useful purpose at all. It only serves to > complicate > things and make clueless security officers happy. It adds zero > security. It > is a great example of people who assume that NAT is a security feature > in > IPv4 (it's not) so it should also be in IPv6. > > The problem is that this meme is so pervasive that even when people > understand that it is bad, they still insist on it because there will > be an > unchecked box on the security checklist for "All systems not pubic > servers > are in RFC1918 space? -- YES NO". The checklist item should be > (usually) > "All systems behind a stateful firewall with an appropriate rule set? > -- > YES NO" as it is a stateful firewall (which is mandatory for NAT that > provides all of the security. > > I say "usually" because the major research lab where I worked ran > without a > firewall (and probably still does) and little, if any, NAT. It was > tested > regularly by red teams hired by the feds and they never were able to > penetrate anything due to a very aggressive IDS/IPS system, but most > people > and companies should NOT go this route. I have IPv6 at home (Comcast) > and > my router runs a stateful firewall with a rule set functionally the > same as > that used for IPv4 and that provides the protection needed. > > So putting support for NAT66 or any IPv6 NAT into a firewall is just > making > things worse. Please don't do it! > -- > R. Kevin Oberman, Network Engineer, Retired > E-mail: rkoberman@gmail.com You are missing the point, we are talking about NAT64 (IPv6-only datacenter's path to a legacy world), and NPT66 (prefix transalation). I doubt anyone had a traditional NAT in mind. Consider a small site with uplinks to two service providers: it can use ULA internally and translate prefix on each uplink. Please see these short blogs: - To ULA or not to ULA, That’s the Question http://blog.ipspace.net/2013/09/to-ula-or-not-to-ula-thats-question.html - I Say ULA, You Hear NAT http://blog.ipspace.net/2014/01/i-say-ula-you-hear-nat.html - PA, PI or ULA IPv6 Address Space? It depends http://blog.ipspace.net/2014/01/pa-pi-or-ula-ipv6-address-space-it.html - Source IPv6 Address Selection Saves the Day http://blog.ipspace.net/2014/01/source-ipv6-address-selection-saves-day.html Markhelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?331930d6178ebbed522e9eddff0196fc>