Re: Cool IPv6 Stuff

• Previous message: Kradorex Xeron: "Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)"
• In reply to: Adrian Chadd: "Re: Cool IPv6 Stuff"
• Next in thread: Donald Stahl: "Re: Cool IPv6 Stuff"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On 5-jun-2007, at 4:29, Adrian Chadd wrote:

>> Don't forget that the reason NAT works to the degree that it does
>> today is because of all the workarounds in applications or protocol-
>> specific workarounds in the NATs (ALGs). In IPv6, you don't have any
>> of this stuff, so IPv6 NAT gets you nowhere fast with any protocol
>> that does more than something HTTP-like. (Yes, I've tried it.)

> Won't stateful firewalls have similar issues? Ie, if you craft a
> stateful
> firewall to allow an office to have real IPv6 addresses but not to
> allow
> arbitrary connections in/out (ie, the "stateful" bit), won't said
> stateful
> require protocol tracking modules with similar (but not -as-)
> complexity
> to the existing NAT modules?

I'm afraid so, yes.

http://arstechnica.com/articles/paedia/ipv6-firewall-mixed-blessing.ars

• Previous message: Kradorex Xeron: "Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)"
• In reply to: Adrian Chadd: "Re: Cool IPv6 Stuff"
• Next in thread: Donald Stahl: "Re: Cool IPv6 Stuff"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]