On 5-jun-2007, at 4:29, Adrian Chadd wrote:
Don't forget that the reason NAT works to the degree that it does
today is because of all the workarounds in applications or protocol-
specific workarounds in the NATs (ALGs). In IPv6, you don't have any
of this stuff, so IPv6 NAT gets you nowhere fast with any protocol
that does more than something HTTP-like. (Yes, I've tried it.)
Won't stateful firewalls have similar issues? Ie, if you craft a
stateful
firewall to allow an office to have real IPv6 addresses but not to
allow
arbitrary connections in/out (ie, the "stateful" bit), won't said
stateful
require protocol tracking modules with similar (but not -as-)
complexity
to the existing NAT modules?
I'm afraid so, yes.
http://arstechnica.com/articles/paedia/ipv6-firewall-mixed-blessing.ars
