Re: Requirements for IPv6 Firewalls

[Seth Mos <seth.mos () dds nl>]

Op 17 apr. 2014, om 20:50 heeft William Herrin <bill () herrin us> het volgende geschreven:

> On Thu, Apr 17, 2014 at 2:32 PM, Eugeniu Patrascu <eugen () imacandi net> wrote:
> > It's a bigger risk to think that NAT somehow magically protects you against
> > stuff on the Internet.
>
> You are entitled to your opinion and you are entitled to run your
> network in accordance with your opinion.
>
> To vendors who would sell me product, I would respectfully suggest
> that attempts to forcefully educate me as to what I *should want*
> offers neither a short nor particularly successful path to closing a
> sale.

Having deployed IPv6 at the internet point and halfway into the company I work for I can tell you that I am *really* 
glad that I can now see what a firewall rule does properly instead of also having to peer at the NAT table which is 1:1 
or a port forward etc. Also, when IPv4 NAT and rules don’t match up, hilarity ensues.

It greatly improves my workflow, it’s just become a whole lot easier for me.

NAT66 definitely has a place, and I’m a huge proponent for it so the small SMB people and home users so they can do 
Multi Wan without BGP. The part that isn’t solved yet by the IETF, but at least there is a really good RFC for NPt.

In my experience it improves security because of the transparency.

For anything resembling > 100 people, get a ASN, PI and BGP. You’ll thank me later, unlikely to have to renumber 
anything(1).

Kind regards,

Seth

(1) Yeah I know, unless you grow from a /48 to a /32
> Regards,
> Bill Herrin
>
>
> -- 
> William D. Herrin ................ herrin () dirtside com  bill@herrin.us09o
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004