North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Google wants to be your Internet
Henning Brauer <[email protected]> wrote: >> > IPv6 makes NAT obsolete because IPv6 firewalls can provide all >> > the useful features of IPv4 NAT without any of the downsides. >> ... >> >> IPv6 firewalls? Where? Good ones? > OpenBSD's pf has support for v6 for years now. Which works pretty well if you forget one tiny thing (from pf.conf(5)) | FRAGMENT HANDLING | [...] | Currently, only IPv4 fragments are supported and IPv6 fragments are | blocked unconditionally. which can bite you in the ass pretty hard if you don't expect it. Fragments are valid packets and crucial for many applications, so unconditional blocking (even with a "pass inet6 from any to any" policy) is bad. Other working solutions are - Linux + nf_conntrack (maybe in a few kernel versions, there was an OOPS in 2.6.20-rc5 with (tadaaa) fragment handling, fixed though) - Cisco ASA and FWSM - IIRC Juniper (Netscreen) firewalls and I guess some more. Regards, Bernhard
|