Re: NAT66 : A first implementation

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Krzysztof Olędzki" <ole@ans.pl>
To: Ed W <lists@wildgooses.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: NAT66 : A first implementation
Date: Mon, 18 Jul 2011 01:54:50 +0200	[thread overview]
Message-ID: <4E23764A.1080404@ans.pl> (raw)
In-Reply-To: <4E2360C9.20304@wildgooses.com>

On 2011-07-18 00:23, Ed W wrote:
> Hi
Hi,

>> Also, how would you imagine readressing such network one day, when you
>> decide to change your ISP?
>
> Aha.  This is a statement that you don't believe PI space will become
> easier to access when requesting IPV6 space?

IPv6 PI for everyone? Forget about it, we would shortly hit 1M or even 
10M+ IPv6 prefixes and this way make BGP unreliable.

> There seems to be sufficient space for PI to become the norm to hand
> out.  However, the current state of routing appears to struggle with
> IPV4 taken to the limit, and so there seems to be understandable
> reluctance to actually fix all the issues we have with IPV4 since some
> facets of the solution kill current routing hardware..?
>
> Mobile phone numbers are now interchangeable between phone companies in
> under 24 hours in the UK.  Lets hope that PI space allocations become
> the norm under IPv6..?

You must not compare PSTN with IP this way. How many GSM operators are 
there in UK with own network prefix? 50? 100? Now: compare it to BGP 
AS'es. How long you need to wait to initiate a call. Finally, how many 
calls do you make per second? ;)

BTW: phone numbers are interchangeable not only in UK and not only 
mobile. ;)

>> Without NAT (and BTW without working and complete L3 security in
>> switches) no one will consider IPv6 seriously nor dare to implement it
>> in production. Of course NAT does not provide security but it provides a
>> real and useful privacy, opposite to annoying randomness.
>
> It's not clear to me that NAT solves L3 security any better than a
> non-nat firewall?

Sorry, english is not my native language, maybe I was not clear enough. 
By L3 security in switches I meant:

  - DHCPv6-snooping, like dhcp-snooping in IPv4, which protects your 
network from unauthorized dhcp-servers. Just think of someone enabling 
connection sharing in windows, grrr!

  - ND-protect, like arp-protect in IPv4 - there is no ARP for IPv6

  - "ipv6 source-lockdown", like "ip source-lockdown" [1]) to protect 
from arp/ip spoofings/takeovers.

Such mechanisms are standard for enterprise and nowadays even soho edge 
switches, but only for IPv4.

However, as IPv6 is totally different to IPv6, you also need many 
additional mechanisms. For example, several IPv6 stacks are vulnerable 
to RA DoS attack (google: "vulnerable ra ipv6"), and you would like to 
filter unauthorized routers anyway.

But this little offtopic to Netfilter. ;)

[1] HP Procurve terminology.

Best regards,

				Krzysztof Olędzki
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

next prev parent reply	other threads:[~2011-07-17 23:54 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-07-14 15:47 NAT66 : A first implementation Terry Moës
2011-07-14 16:22 ` Jan Engelhardt
2011-07-14 16:27   ` Terry Moës
2011-07-14 23:15     ` Jan Engelhardt
2011-07-14 23:17       ` David Miller
2011-07-14 23:37         ` Rick Jones
2011-07-15 15:43           ` Rick Jones
2011-07-14 23:55         ` Jan Engelhardt
2011-07-17  5:09           ` Krzysztof Olędzki
2011-07-17 22:23             ` Ed W
2011-07-17 23:54               ` Krzysztof Olędzki [this message]
2011-07-18  8:38                 ` Ed W
2011-07-15  0:48         ` Jeff Haran
2011-07-15  2:29           ` Adam Roach
2011-07-15 22:12             ` Jeff Haran
2011-07-16  3:08               ` Adam Roach
2011-07-18  2:05         ` YOSHIFUJI Hideaki
2011-07-18 15:50         ` Patrick McHardy
2011-07-21  7:15           ` Harald Welte
2011-07-15  5:48       ` Philip Craig
2011-07-15 10:29         ` Jan Engelhardt
     [not found]       ` <4E20051D.7080208@student.ulg.ac.be>
2011-07-15  9:16         ` Terry Moës
2011-07-15 11:09           ` Jan Engelhardt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4E23764A.1080404@ans.pl \
    --to=ole@ans.pl \
    --cc=lists@wildgooses.com \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.