|
|
| RE: Google wants to be your Internet |
|
2007-01-24 07:48:04 |
|
|
> The problem is that you can't be sure that if you use RFC1918
> today you won't be bitten by it's non-uniqueness property in
> the future. When you're asked to diagnose a fault with a
> device with the IP address 192.168.1.1, and you've got an
> unknown number of candidate devices using that address, you
> really start to see the value in having world wide unique,
> but not necessarily publically visible addressing.
A lot of people who implemented RFC 1918 addressing in the
past didn't actually read RFC 1918. They just heard the mantra
of address conservation and learned that RFC 1918 defined something
called "private" addresses. Then, without reading the RFC, they
made assumptions in interpreting the meaning of "private". Now,
many of those people or their successors have been bit hard by
problems created by using RFC 1918 addresses in networks which
are not really private at all, i.e. wholly unconnected from other
IP networks. Those people now see the benefits of using truly
globally unique registered addresses.
The whole address conservation mantra has turned out to be a lot
of smoke and mirrors anyway. The dotcom collapse followed by the
telecom collapse shows that it was a sham argument based on the
ridiculous theory that exponential growth of the network was
really sustainable. Now we live in a time where there is no
shortage of IP addresses. Even IPv4 addresses are not guaranteed
to ever run out as IPv6 begins to be used for some of the drivers
of network growth.
IPv6 makes NAT obsolete because IPv6 firewalls can provide all
the useful features of IPv4 NAT without any of the downsides.
--Michael Dillon
|
| Re: Google wants to be your Internet |
|
2007-01-24 08:29:57 |
|
|
On Jan 24, 2007, at 5:48 AM, bt.com> wrote:
> The whole address conservation mantra has turned out to be a lot
> of smoke and mirrors anyway.
At the time, yes, this particular issue was overhyped, just as the
routing-table-expansion issue was underhyped. As we move to an
'Internet of Things', however, it will become manifestl
With regards to the perceived advantages and disadvantages of IPv6 as
it is currently defined, there is wide range of opinion on the
subject. For many, the 'still-need-NAT-under-IPv6 vs. IPv6-
eliminates-the-need-for-NAT' debate is of minor importance compared
to more fundamental questions.
-----------------------------------------------------------------------
Roland Dobbins cisco.com> // 408.527.6376 voice
Technology is legislation.
-- Karl Schroeder
|
| Re: Google wants to be your Internet |
|
2007-01-29 18:57:24 |
On Wed, Jan 24, 2007 at 01:48:04PM -0000, michael.dillon bt.com
wrote:
...
> IPv6 makes NAT obsolete because IPv6 firewalls can
provide all
> the useful features of IPv4 NAT without any of the
downsides.
...
IPv6 firewalls? Where? Good ones?
--
Joe Yao
------------------------------------------------------------
-----------
This message is not an official statement of OSIS Center
policies.
|
|
| Re: Google wants to be your Internet |
|
2007-01-29 19:05:09 |
* Joseph S D Yao <jsdycenter.osis.gov>
[2007-01-30 01:59]:
>
> On Wed, Jan 24, 2007 at 01:48:04PM -0000,
michael.dillonbt.com wrote:
> ...
> > IPv6 makes NAT obsolete because IPv6 firewalls can
provide all
> > the useful features of IPv4 NAT without any of the
downsides.
> ...
>
> IPv6 firewalls? Where? Good ones?
OpenBSD's pf has support for v6 for years now.
--
Henning Brauer, hbbsws.de, henningopenbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting -
Hamburg & Amsterdam
|
|
| Re: Google wants to be your Internet |
|
2007-01-29 19:34:01 |
On 29-Jan-2007, at 20:12, Brandon Galbraith wrote:
> On 1/29/07, Henning Brauer <hb-nanogbsws.de> wrote:
>
> * Joseph S D Yao <jsdycenter.osis.gov>
[2007-01-30 01:59]:
> >
> > IPv6 firewalls? Where? Good ones?
>
> OpenBSD's pf has support for v6 for years now.
>
> Do a fair amount of appliance firewalls support it?
To be fair, I think the question was about good firewalls,
not
appliances.
Joe
|
|
| Re: Google wants to be your Internet |
|
2007-01-29 22:21:59 |
Joseph S D Yao wrote:
> On Wed, Jan 24, 2007 at 01:48:04PM -0000,
michael.dillonbt.com wrote:
> ...
>> IPv6 makes NAT obsolete because IPv6 firewalls can
provide all
>> the useful features of IPv4 NAT without any of the
downsides.
> ...
>
> IPv6 firewalls? Where? Good ones?
There are vendors on this list that make/sell/support ipv6
firewalls. If
you have a need, you should be able to arrange for an eval
from several
of them.
regards
joelja
|
|
| Re: Google wants to be your Internet |
|
2007-01-30 00:59:17 |
On Mon, 29 Jan 2007 19:57:24 -0500
Joseph S D Yao <jsdycenter.osis.gov> wrote:
>
> On Wed, Jan 24, 2007 at 01:48:04PM -0000,
michael.dillonbt.com wrote:
> ...
> > IPv6 makes NAT obsolete because IPv6 firewalls can
provide all
> > the useful features of IPv4 NAT without any of the
downsides.
> ...
>
> IPv6 firewalls? Where? Good ones?
>
Checkpoint claims to have supported IPv6 since 2002:
http://www.checkpoint.com/press/2002/ipv6_081402.html
--Steve Bellovin, http://www.cs.columbi
a.edu/~smb
|
|
| RE: Google wants to be your Internet |
|
2007-01-30 14:04:25 |
Hi,
PIX/ASA Supports IPv6 Apparently, see below.
Don't know anyone who has tested it yet though 
http://www.cisco.com/en/US/products/ps61
20/products_configuration_guide_
chapter09186a0080636f44.html
Mark
-----Original Message-----
From: owner-nanogmerit.edu [mailto:owner-nanogmerit.edu] On Behalf Of
Joe Abley
Sent: 30 January 2007 01:34
To: Brandon Galbraith
Cc: nanogmerit.edu
Subject: Re: Google wants to be your Internet
On 29-Jan-2007, at 20:12, Brandon Galbraith wrote:
> On 1/29/07, Henning Brauer <hb-nanogbsws.de> wrote:
>
> * Joseph S D Yao <jsdycenter.osis.gov>
[2007-01-30 01:59]:
> >
> > IPv6 firewalls? Where? Good ones?
>
> OpenBSD's pf has support for v6 for years now.
>
> Do a fair amount of appliance firewalls support it?
To be fair, I think the question was about good firewalls,
not
appliances.
Joe
|
|
| Re: IPv6 Firewalls |
|
2007-01-30 16:36:58 |
On Tue, Jan 30, 2007 at 09:43:52PM -0500, J. Oquendo wrote:
...
> A lot of vendor information on this, etc. can be
summarized over at
> http://www.moonv6.org/ (or
at least the hype of it)
...
This is why I asked: at some point last year, those guys
said NO
firewalls were IPv6-ready yet.
--
Joe Yao
------------------------------------------------------------
-----------
This message is not an official statement of OSIS Center
policies.
|
|
| Re: IPv6 Firewalls |
|
2007-01-30 21:55:48 |
Joseph S D Yao wrote:
> On Tue, Jan 30, 2007 at 09:43:52PM -0500, J. Oquendo
wrote:
> ...
>
>> A lot of vendor information on this, etc. can be
summarized over at
>> http://www.moonv6.org/ (or
at least the hype of it)
>>
> ...
>
>
> This is why I asked: at some point last year, those
guys said NO
> firewalls were IPv6-ready yet.
>
>
>
From their last tests
(http://www.moonv6.org/project/july2006/Moonv6_2
006_Whitepaper.pdf) it
seemed they accomplished a lot of their tasks. They didn't
include the
list of vendors that tested though:
// PAGE 7
Firewall deep-inspection functionality of application
traffic in a mixed
IPv4/IPv6 environment was validated and compared with the
same test
scenarios in an IPv4 oenvironment. A realistic protocol mix
was
configured to simulate the forwarding and blocking
capabilities in an
actual network.
A critical concern that must be addressed in an IPv4/IPv6
transition
environment is equivalent quality of the user experience. If
a security
device performs adequately wIPv4, it should also sustain
comparable
performance levels when processing mixed IPv4/IPv6 and pure
IPv6
traffic. Responding to that concern, the 2006 Moonv6
Transition Test
Suite included performance tests that compared security
devices IPv6 and
mixed IPv4/IPv6 performance. These tests used real-world
application mix
traffic to measure the metrics. The tests successfully
validated that
security devices casustain adequate performance and QoE
levels in
transition IPv4/IPv6 environments.
// END PAGE
--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&s
earch=0x1383A743
sil . infiltrated net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
|
|