nanog mailing list archives
Re: AWS and IPv6
From: William Herrin <bill () herrin us>
Date: Sun, 28 Nov 2021 18:23:03 -0800
On Sun, Nov 28, 2021 at 4:13 PM William Herrin <bill () herrin us> wrote:
Yeah, they don't even have a practical way to implement a firewall instance for IPv6. Unless you want to mirror 1:many NAT for IPv6 like you do IPv4. You just can't route an IPv6 block to an instance. And with 1:many NAT you wouldn't want public IP addresses inside but AWS doesn't let you assign ULA addresses inside the subnet, only global addresses.
I stand corrected on this. https://aws.amazon.com/blogs/aws/inspect-subnet-to-subnet-traffic-with-amazon-vpc-more-specific-routing/ https://aws.amazon.com/blogs/aws/new-vpc-ingress-routing-simplifying-integration-of-third-party-appliances/ This technique does in fact work for IPv6, allowing you to insert a firewall at the edge. Interestingly though, it won't receive IPv6 packets for an address that isn't attached to a running instance in the interior subnet. Regards, Bill Herrin -- William Herrin bill () herrin us https://bill.herrin.us/
Current thread:
- AWS and IPv6 Fletcher Kittredge (Nov 27)
- Re: AWS and IPv6 Michael Thomas (Nov 28)
- Re: AWS and IPv6 Karl Auer (Nov 28)
- Re: AWS and IPv6 Michael Thomas (Nov 28)
- Re: AWS and IPv6 William Herrin (Nov 28)
- Re: AWS and IPv6 Oliver O'Boyle (Nov 28)
- Re: AWS and IPv6 Matt Palmer (Nov 28)
- Re: AWS and IPv6 Michael Thomas (Nov 28)
- Re: AWS and IPv6 William Herrin (Nov 28)
- Re: AWS and IPv6 William Herrin (Nov 28)
- Re: AWS and IPv6 Karl Auer (Nov 28)
- Re: AWS and IPv6 Michael Thomas (Nov 28)