Date: Tue, 29 Jul 2014 01:21:53 +0200 From: Mark Martinec <Mark.Martinec+freebsd@ijs.si> To: freebsd-current@freebsd.org Cc: Kevin Oberman <rkoberman@gmail.com> Subject: Re: Future of pf / firewall in FreeBSD =?UTF-8?Q?=3F=20-=20does?= =?UTF-8?Q?=20it=20have=20one=20=3F?= Message-ID: <331930d6178ebbed522e9eddff0196fc@mailbox.ijs.si> In-Reply-To: <CAN6yY1uHJn4xA-5zFr4fZez3FyXi7tT0LmhyR8yWkqG7k1A%2B=A@mail.gmail.com> References: <201407261843.s6QIhcx4008597@slippy.cwsent.com> <53D61AC6.5030305@freebsd.org> <CAN6yY1uHJn4xA-5zFr4fZez3FyXi7tT0LmhyR8yWkqG7k1A%2B=A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Mon, Jul 28, 2014 at 2:41 AM, Darren Reed <darrenr@freebsd.org>=20 > wrote: >> [...] >> IPFilter 5 does IPv6 NAT. >>=20 >> With the import of 5.1.2, map, rdr and rewrite rules will all work=20 >> with >> IPv6 addresses. >>=20 >> NAT66 is a specific implementation of IPv6 NAT behaviour. 2014-07-29 00:07 Kevin Oberman wrote: > And all IPv6 NAT is evil and should be cast into (demonic residence of=20 > your > choosing) on sight! >=20 > NAT on IPv6 serves no useful purpose at all. It only serves to=20 > complicate > things and make clueless security officers happy. It adds zero=20 > security. It > is a great example of people who assume that NAT is a security feature=20 > in > IPv4 (it's not) so it should also be in IPv6. >=20 > The problem is that this meme is so pervasive that even when people > understand that it is bad, they still insist on it because there will=20 > be an > unchecked box on the security checklist for "All systems not pubic=20 > servers > are in RFC1918 space? -- YES NO". The checklist item should be=20 > (usually) > "All systems behind a stateful firewall with an appropriate rule set?=20 > -- > YES NO" as it is a stateful firewall (which is mandatory for NAT that > provides all of the security. >=20 > I say "usually" because the major research lab where I worked ran=20 > without a > firewall (and probably still does) and little, if any, NAT. It was=20 > tested > regularly by red teams hired by the feds and they never were able to > penetrate anything due to a very aggressive IDS/IPS system, but most=20 > people > and companies should NOT go this route. I have IPv6 at home (Comcast)=20 > and > my router runs a stateful firewall with a rule set functionally the=20 > same as > that used for IPv4 and that provides the protection needed. >=20 > So putting support for NAT66 or any IPv6 NAT into a firewall is just=20 > making > things worse. Please don't do it! > -- > R. Kevin Oberman, Network Engineer, Retired > E-mail: rkoberman@gmail.com You are missing the point, we are talking about NAT64 (IPv6-only=20 datacenter's path to a legacy world), and NPT66 (prefix transalation). I doubt anyone=20 had a traditional NAT in mind. Consider a small site with uplinks to two service providers: it can use=20 ULA internally and translate prefix on each uplink. Please see these short blogs: - To ULA or not to ULA, That=E2=80=99s the Question =20 http://blog.ipspace.net/2013/09/to-ula-or-not-to-ula-thats-question.html - I Say ULA, You Hear NAT http://blog.ipspace.net/2014/01/i-say-ula-you-hear-nat.html - PA, PI or ULA IPv6 Address Space? It depends =20 http://blog.ipspace.net/2014/01/pa-pi-or-ula-ipv6-address-space-it.html - Source IPv6 Address Selection Saves the Day =20 http://blog.ipspace.net/2014/01/source-ipv6-address-selection-saves-day.htm= l Mark
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?331930d6178ebbed522e9eddff0196fc>