Re: Does IPv6 preclude use of a NAT gateway?
On 12/07/11 12:22, Nico Kadel-Garcia wrote:
> On Mon, Jul 11, 2011 at 10:13 PM, Scott Ferguson
> <prettyfly.productions@gmail.com> wrote:
>> On 12/07/11 07:58, Paul E Condon wrote:
>>> On 20110710_225108, Erwan David wrote:
>>>> On 10/07/11 20:34, Randy Kramer wrote:
>>>>>
>>>>>> Also, ipv6 firewalling is very annoying on the gateway (due
>>>>>> to �the icmpv6 filtering which must be done right). �When
>>>>>> possible, get a script that does most of it right for you
>>>>>> (or check RFC 4890).
>>>>>
>>>>> Sounds like good advice.
>>>>>
>>>>> Randy Kramer
>>>>>
>>>>
>>>> shorewall6 is quite good at setting the rules for IPv6.
>>>
>>> I am puzzled by this discussion. Without going into any features
>>> of IPv6, the reason NAT works for IPv4 that I have been taught is
>>> the 192.168.xxx.xxx are illegal on the actual internet.
>>
>> Correction (pedantic semantics), not *illegal*, just not supposed
>> to be used in Class A environments (because it won't work). You
>> *will* find class C addresses used on internet exposed boxen - you
>> just won't be able to load the links (DNS doesn't cope with
>> duplicate IP entries).
>
> Oh, my. You can load the IP addresses *directly*, by IP address, and
> access them if you have a route to them.
*If you have a route*.... in the examples given there is no route, hence
NAT.
I simplified things (as noted in the original post) as a means of
explaining why NAT != security.
CIDR would take more time than I have available to explain.
> This is quite common inside VPN's,
You can NAT VPN can *you*? :-)
> and as an example is common to all of AOL's internal server address
> space (which uses the 10.0.0.0/24 address space,
See my comment about CIDR.
AFAIK AOL only started that in early 90s - so I'm not sure what you're
trying to say.
> or did a few years ago.) It's also common in internal networks where
> 192.168.1.0/24
Apropos of the examples given - access from the internet to
machines behind a NAT??
> might be dedicated to a demilitarized zone for external servers,
> 192.168.2.0/24 might be your internal hosts, 192.168.100.0/24 is
> dedicated for idiots who connect internal NAT gateways, etc.
Again - I used "Class" addressing for the purposes of the example - feel
free to use 8.8.8.8 for a private address. The point of your comment
is?? (seriously)
>
> The lack of routes to to such non-routable address ranges is a
> *convention*, (http://en.wikipedia.org/wiki/Private_network), and
> published in numerous RFC's.
No dispute there - see my comment about the distinction between illegal
and unworkable.
>
> IPv6 has its own..... ideas about how to deal with thus, but it
> certainly has reserved, non-routable address spaces.
>
Not sure what post you're replying to - I certainly didn't say anything
about a lack of reserved address with IPV6.
If information is your desire - I was, clearly, responding to Randy's
question. Apart from the redundant wikipedia quote I can't see the
relevance of your post to anything I've said.
Cheers
--
What did moths bump into before the electric light bulb was invented?
Boy, the lightbulb really screwed the moth up didn't it? Are there moths
on their way to the sun now going, "It's gonna be worth it!"
~ Bill Hicks
Reply to: