firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: IPv6 (John Kougoulos)
2. Re: IPv6 (Martin Barry)
----------------------------------------------------------------------
Message: 1
Date: Thu, 30 Dec 2010 10:29:07 +0200
From: John Kougoulos <koug@intranet.gr>
Subject: Re: [fw-wiz] IPv6
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Cc: Martin Barry <marty@supine.com>
Message-ID: <4D1C42D3.1080107@intranet.gr>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 12/29/2010 11:33 AM, Martin Barry wrote:
> $quoted_author = "Mathew Want" ;
>>
>> Because I do not want my worktations to be routed to from the internet.
>
> Then you want a stateful firewall, not NAT66.
>
> Or do you have other reasons for wanting NAT66?
>
I see NAT66 helpful on eg site-to-site VPNs.
eg. Suppose that I have the prefix 2001:db8:85a3::/48 and I have some my
internet accessible machines on 2001:db8:85a3:3::/64 and some "internal"
machines on 2001:db8:85a3:2::/64 , 2001:db8:85a3:4::/64.
If the other side of the site-to-site VPN routes the whole
2001:db8:85a3::/48 over the VPN in order to access the "internal"
machines, they will try to access also the Internet accessible machines
over the site-to-site VPN, which could mean that they may bypass some
controls, or that I have to open tons of ACLs on various firewalls, not
to mention the possible asymmetric routing issues.
If I could NAT66 the 2001:db8:85a3::/48 to a ULA::/48 space, I believe
it would be much easier to manage, since the other side would have to
route the ULA space to the VPN.
Regards,
John Kougoulos
------------------------------
Message: 2
Date: Thu, 30 Dec 2010 09:48:24 +0100
From: Martin Barry <marty@supine.com>
Subject: Re: [fw-wiz] IPv6
To: firewall-wizards@listserv.cybertrust.com
Message-ID: <20101230084824.GA5190@merboo.mamista.net>
Content-Type: text/plain; charset=us-ascii
$quoted_author = "John Kougoulos" ;
>
> I see NAT66 helpful on eg site-to-site VPNs.
>
> eg. Suppose that I have the prefix 2001:db8:85a3::/48 and I have some my
> internet accessible machines on 2001:db8:85a3:3::/64 and some "internal"
> machines on 2001:db8:85a3:2::/64 , 2001:db8:85a3:4::/64.
>
> If the other side of the site-to-site VPN routes the whole
> 2001:db8:85a3::/48 over the VPN in order to access the "internal"
> machines, they will try to access also the Internet accessible machines
> over the site-to-site VPN, which could mean that they may bypass some
> controls, or that I have to open tons of ACLs on various firewalls,
> not to mention the possible asymmetric routing issues.
>
> If I could NAT66 the 2001:db8:85a3::/48 to a ULA::/48 space, I
> believe it would be much easier to manage, since the other side
> would have to route the ULA space to the VPN.
Why not just build the VPN with only the two /64s in the configuration and
not the entire /48?
And if you need to adjust routing and other firewalls, surely that's the
best way to do it rather than NATing them into some IPs that are already
privilaged.
cheers
Marty
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 54, Issue 5
***********************************************
No comments:
Post a Comment