From owner-freebsd-current@FreeBSD.ORG Tue Jul 29 01:13:20 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 531D5D26 for ; Tue, 29 Jul 2014 01:13:20 +0000 (UTC) Received: from mail-ie0-x22e.google.com (mail-ie0-x22e.google.com [IPv6:2607:f8b0:4001:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1DA542D7E for ; Tue, 29 Jul 2014 01:13:20 +0000 (UTC) Received: by mail-ie0-f174.google.com with SMTP id rp18so7770550iec.19 for ; Mon, 28 Jul 2014 18:13:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=O11RSaScVn5XjUjqMkPJ4zNiUf0SpsxW/NoCGYwfxlk=; b=WIrrasCeXyHXBw5ytHS39pxlz11oroVxjvpajtPmms4V42b5Leg7d+6rGfofMTUvD/ slmsUXsBGc7UDrbebkiXpM2hD3CGeewaprzIcs96HJVkDiBPkzg7P5WYZfXzQ+VAaniN AQBFvGhgILkm3wah7X/7DaK4CtgxUuz7NR+7VMewlv8NQ20MB2kI86o0f6jHxcEeSpyo +8sFW5NGGw6YQ5NRL3qb1LQrysBlswKSSJA0fiADKTYFHridyKTAzMNHLAA5H2aZfvXO fpPu6SB7HMHNXXB7DzrXVwJqyq3B6Mr1DGk4GQWFm6Xbds16f1fiydpChbqzR3rCISoY cTGw== MIME-Version: 1.0 X-Received: by 10.50.79.169 with SMTP id k9mr37835358igx.0.1406596399439; Mon, 28 Jul 2014 18:13:19 -0700 (PDT) Sender: kob6558@gmail.com Received: by 10.107.163.148 with HTTP; Mon, 28 Jul 2014 18:13:19 -0700 (PDT) In-Reply-To: <331930d6178ebbed522e9eddff0196fc@mailbox.ijs.si> References: <201407261843.s6QIhcx4008597@slippy.cwsent.com> <53D61AC6.5030305@freebsd.org> <331930d6178ebbed522e9eddff0196fc@mailbox.ijs.si> Date: Mon, 28 Jul 2014 18:13:19 -0700 X-Google-Sender-Auth: TW-wMqEeg-eKna1ofzQWeVxnYfo Message-ID: Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? From: Kevin Oberman To: Mark Martinec Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: FreeBSD Current X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2014 01:13:20 -0000 On Mon, Jul 28, 2014 at 4:21 PM, Mark Martinec wrote: > On Mon, Jul 28, 2014 at 2:41 AM, Darren Reed wrote: >> >>> [...] >>> >>> IPFilter 5 does IPv6 NAT. >>> >>> With the import of 5.1.2, map, rdr and rewrite rules will all work with >>> IPv6 addresses. >>> >>> NAT66 is a specific implementation of IPv6 NAT behaviour. >>> >> > 2014-07-29 00:07 Kevin Oberman wrote: > >> And all IPv6 NAT is evil and should be cast into (demonic residence of >> your >> choosing) on sight! >> >> NAT on IPv6 serves no useful purpose at all. It only serves to complicat= e >> things and make clueless security officers happy. It adds zero security. >> It >> is a great example of people who assume that NAT is a security feature i= n >> IPv4 (it's not) so it should also be in IPv6. >> >> The problem is that this meme is so pervasive that even when people >> understand that it is bad, they still insist on it because there will be >> an >> unchecked box on the security checklist for "All systems not pubic serve= rs >> are in RFC1918 space? -- YES NO". The checklist item should be (usuall= y) >> "All systems behind a stateful firewall with an appropriate rule set? -- >> YES NO" as it is a stateful firewall (which is mandatory for NAT that >> provides all of the security. >> >> I say "usually" because the major research lab where I worked ran withou= t >> a >> firewall (and probably still does) and little, if any, NAT. It was teste= d >> regularly by red teams hired by the feds and they never were able to >> penetrate anything due to a very aggressive IDS/IPS system, but most >> people >> and companies should NOT go this route. I have IPv6 at home (Comcast) an= d >> my router runs a stateful firewall with a rule set functionally the same >> as >> that used for IPv4 and that provides the protection needed. >> >> So putting support for NAT66 or any IPv6 NAT into a firewall is just >> making >> things worse. Please don't do it! >> -- >> R. Kevin Oberman, Network Engineer, Retired >> E-mail: rkoberman@gmail.com >> > > You are missing the point, we are talking about NAT64 (IPv6-only > datacenter's > path to a legacy world), and NPT66 (prefix transalation). I doubt anyone > had > a traditional NAT in mind. > > Consider a small site with uplinks to two service providers: it can use U= LA > internally and translate prefix on each uplink. > > Please see these short blogs: > > - To ULA or not to ULA, That=E2=80=99s the Question > http://blog.ipspace.net/2013/09/to-ula-or-not-to-ula-thats-question.htm= l > > - I Say ULA, You Hear NAT > http://blog.ipspace.net/2014/01/i-say-ula-you-hear-nat.html > > - PA, PI or ULA IPv6 Address Space? It depends > http://blog.ipspace.net/2014/01/pa-pi-or-ula-ipv6-address-space-it.html > > - Source IPv6 Address Selection Saves the Day > http://blog.ipspace.net/2014/01/source-ipv6-address- > selection-saves-day.html > > > Mark > Mark, No, all of the messages in the thread are specific about NAT66, not NPT66. NPT66 may have real value. I hate it, but it may well be better than alternatives. It addresses an issue I have had with many of the IPv6 purists. I do think some of the arguments for it are over-stated. Getting a /48 is trivial, but getting it routed is not, so there is a real issue, but it remains unclear how bit the issue really is. For most users, multi-homing is fine, but not for servers. But smaller companies often farm out their servers, so it's not an issue for them. The one really significant issue I accept as real is the expansion of the routing tables. While the IPv6 table is still fairly small (~17k) , it is growing and has the potential to exceed the size of the IPv4 table (>500K) which continues to grow due to deaggregation. For those not dealing with backbone BGP, the issues include handling large numbers of prefixes and the stability of routing tables (both RIBs and FIBs) with all of the churn . Since I have retired, I have not been involved in IPv6 implementation or technical discussion, but I started dealing with it back in the 1990s and, until I retired in 2011 I had the first computer (a DEC Alpha) that had an ARIN assigned IPv6 address sitting under my desk, hershey.es.net. (No, it was no longer in use.) I also opposed ULA. While I understood the arguments in its favor, I have still do not agree with them. I think ULA is simply a bad idea, but it is there and we will have to deal with it... forever. -- R. Kevin Oberman, Network Engineer, Retired E-mail: rkoberman@gmail.com