Search This Blog

Sunday, January 02, 2011

firewall-wizards Digest, Vol 55, Issue 1

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: IPv6 (John Kougoulos)


----------------------------------------------------------------------

Message: 1
Date: Fri, 31 Dec 2010 11:02:58 +0200
From: John Kougoulos <koug@intranet.gr>
Subject: Re: [fw-wiz] IPv6
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <4D1D9C42.1060906@intranet.gr>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

On 12/30/2010 10:48 AM, Martin Barry wrote:
> $quoted_author = "John Kougoulos" ;
>>
>> I see NAT66 helpful on eg site-to-site VPNs.
>>
>> eg. Suppose that I have the prefix 2001:db8:85a3::/48 and I have some my
>> internet accessible machines on 2001:db8:85a3:3::/64 and some "internal"
>> machines on 2001:db8:85a3:2::/64 , 2001:db8:85a3:4::/64.
>>
>> If I could NAT66 the 2001:db8:85a3::/48 to a ULA::/48 space, I
>> believe it would be much easier to manage, since the other side
>> would have to route the ULA space to the VPN.
>
> Why not just build the VPN with only the two /64s in the configuration and
> not the entire /48?

This is possible too, but if you don't have only two /64 but 200,
wouldn't you prefer to NAT ?

Usually, when you tell to the administrator of the other side of the VPN
that he has to route 200 /64, he will most probably route the whole /48.
And if he doesn't do it when you setup the VPN, after a couple of years
someone will do so.
And suddenly, your Internet facing web servers, DNS, mail servers will
not be accessible to other site, because you have asymmetry in routing
and a firewall somewhere drops the return packets.

My point is that NAT gives you a lot of flexibility in those cases,
especially if you don't use ULA/RFC1918 addressing in your "internal"
network.

Best Regards,
John


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 55, Issue 1
***********************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)