[Courses] [Security] IPv6 and NAT (was: Firewall theory -- UDP and nameservers)
Raven, corporate courtesan
raven at oneeyedcrow.net
Tue Mar 26 20:38:25 EST 2002
Heya --
Quoth Kai MacTane (Mon, Mar 25, 2002 at 01:23:31PM -0800):
> >The diehard IPv4 addict's 'solution' to running out of real addresses.
> >Once we force them all to move to IPv6, NAT will vanish.
>
> I can't see why; NAT is also useful for security. Take my house network: I
> have DSL with four static IPs. The Slackware Linux machine "surehand" gets
> three of those, with the Mandrake machine "kitchengod" having the other.
> kitchengod runs ipchains, and has a second NIC, which the four Windows 9x
> boxen in the house plug into. They get their IP addresses from DHCP, in a
> 192.168 range.
Well, NAT will change dramatically with IPv6. There's a similar
chunk of address space built into the protocol -- the local-use unicast
addresses. (RFC 2373, 2.5.8) These site-local addresses (there are
also link-local addresses) shouldn't be sent outside of the site by any
RFC-compliant router. So by the very design of IPv6, you shouldn't see
things like UUNet announcing 10-space into the global internet and
causing many routing problems. [grin] That happened a few years back.
It was ugly.
http://www.rfc.net/rfc2373.html for interested parties.
Cheers,
Raven
"Incoming packet over rabbit. SYN."
"Incoming packet over duck. quACK!"
-- me and Tiff, flinging stuffed animals and tech humor
More information about the Courses
mailing list