[ipv6hackers] the end is near (or for IPv6: the beginning)

Richard Barnes richard.barnes at gmail.com
Wed Jan 15 20:31:05 CET 2014


If NAT were only used in firewalls where asymmetry is an issue, that would
be a big win.  Many of the major problems with NAT today are due to NATs
for singly homed networks (e.g., home nets, SOHO nets).

On Wednesday, January 15, 2014, Edward Lopez <elopez at fortinet.com> wrote:

> This is my personal opinion and not necessarily one shared with my company.
>
> IPv4 stateful firewalls have a heavy reliance on NAT functionality as a
> means of resolving asymmetric routing issues that would otherwise be
> problematic in otherwise multipath routing environments.  Proxy devices
> resolve asymmetry as a natural result of explicit proxy functions.  As IPv6
> migration accelerates, and the adoption of native IPv6 addressing down to
> endpoints becomes predominant, we will begin to see interesting issues
> arise:
>
> - A sharp rise in asymmetry issues with stateful firewalls in multipath
> environments
> - An increase in direct attacks against IPv6 endpoints, due to the removal
> of the NAT boundary
> - A strong effort to deploy NAT66 (RFC 6296) for use in FW/CGN boundaries
> - A resurgence of proxy-based security
> - The need to resolve asymmetry will be is exacerbated by the deployment
> of IPv6 anycast services
>
> With the recent allegations that the NSA TAO has compromised a number of
> commercial stateful firewall systems, I would think that more intelligent
> organizations will be reconsidering their network security strategies in
> their migration plans to IPv6
>
> Ed
>
> On Jan 4, 2014, at 12:29 PM, Jens Link <lists at quux.de <javascript:;>
> <mailto:lists at quux.de <javascript:;>>> wrote:
>
> Marc Heuse <mh at mh-sec.de <javascript:;><mailto:mh at mh-sec.de <javascript:;>>>
> writes:
>
> Expect everyone in the USA to be totally surprised when this happens
> (like every year in Chicago in Winter when it starts snowing)  ;-)
>
> Or Windows XP support running out. ;-)
>
> Jens
> --
>
> ----------------------------------------------------------------------------
> | Foelderichstr. 40   | 13595 Berlin, Germany           | +49-151-18721264
> |
> | http://blog.quux.de | jabber: jenslink at jabber.quux.de <javascript:;>
> <mailto:jenslink at jabber.quux.de <javascript:;>> | ---------------  |
>
> ----------------------------------------------------------------------------
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com <javascript:;><mailto:
> Ipv6hackers at lists.si6networks.com <javascript:;>>
> http://lists.si6networks.com/listinfo/ipv6hackers
>
>
>
> ***  Please note that this message and any attachments may contain
> confidential
> and proprietary material and information and are intended only for the use
> of
> the intended recipient(s). If you are not the intended recipient, you are
> hereby
> notified that any review, use, disclosure, dissemination, distribution or
> copying
> of this message and any attachments is strictly prohibited. If you have
> received
> this email in error, please immediately notify the sender and destroy this
> e-mail
> and any attachments and all copies, whether electronic or printed.
> Please also note that any views, opinions, conclusions or commitments
> expressed
> in this message are those of the individual sender and do not necessarily
> reflect
> the views of Fortinet, Inc., its affiliates, and emails are not binding on
> Fortinet and only a writing manually signed by Fortinet's General Counsel
> can be
> a binding commitment of Fortinet to Fortinet's customers or partners.
> Thank you. ***
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com <javascript:;>
> http://lists.si6networks.com/listinfo/ipv6hackers
>



More information about the Ipv6hackers mailing list