ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Netfilter (Linux) Does IPv6 NAT

2011-12-06 10:42:34
from [Greg Daley] [Permanent Link] 
Hi Martin, 


The assumption that information is present only within the IP address is 
erroneous.
This has been studied for mobile IPv6 users as well, and there is information 
leakage up and down the stack.

We have local source address selection mechanisms in recent Windows versions 
that use randomized IIDs on outbound connections today.  This doesn't prevent 
exposure of the information regarding the internal network structure, but nor 
do firewalls at publically addressed IPv4 institutions today.

Putting NATs on the path just causes the device inside the network to be 
unaware of its presented addresses, which means that it will impede 
peer-to-peer communications, as it cannot even describe its available services 
without external information services.

This is the awful situation in IPv4 today:  Address scarcity is not the 
problem, addressability is the problem.

Greg Daley


-----Original Message-----
From: ietf-bounces(_at_)ietf(_dot_)org 
[mailto:ietf-bounces(_at_)ietf(_dot_)org] On Behalf Of
Martin Rex
Sent: Tuesday, 6 December 2011 1:00 PM
To: mail-dated-1325290081(_dot_)a3a4e0(_at_)sabahattin-gucukoglu(_dot_)com
Cc: ietf(_at_)ietf(_dot_)org
Subject: Re: Netfilter (Linux) Does IPv6 NAT

Sabahattin Gucukoglu wrote:


In case you didn't see this:
http://www.h-online.com/open/news/item/Netfilter-developers-working-

on

-NAT-for-ip6tables-1385877.html

It's a complete IPv6 NAT implementation with the functionality of the
IPv4 one in the same stack.  ALGs.  Port translation.  Connection
tracking.  You don't need me to tell you why I don't like this.



I fail to understand the issue that you have with this.

Doing home gateways and *NOT* using dynamic temporary IPv6 addresses
for outbound connections by default (i.e. *NO* static network prefix
that can be linked to a single ISP customer) would be extremely
irresponsible with respect to data privacy protection.

Without that, I consider IPv6 a complete no-go.

And many DSL routers are based on Linux, so having an implementation of
such a NAT is a prerequisite before IPv6 can be reasonably offered to
home customers in Europe.

I'm perfectly OK with folks getting static IPv6 network prefixes for
specific applications that desperately need it.  But the default
definitely ought to be temporary dynamic IPv6 addresses, especially for
outbound connections.


-Martin
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Consensus Call: draft-weil-shared-transition-space-request, Greg Daley
Next by Date:  RE: Netfilter (Linux) Does IPv6 NAT, Greg Daley
Previous by Thread:  Re: Netfilter (Linux) Does IPv6 NAT, Mark Andrews
Next by Thread:  Re: Netfilter (Linux) Does IPv6 NAT, Martin Rex
Indexes:  [Date] [Thread] [Top] [All Lists]