I feel like you are conflating two things, stateful firewalls and NPTv6
or any form of NAT, they are often done at the same box together, but
they are not inherently linked.
I dislike NAT in an IPv6 environment as I've generally not found a use
for it not better served by something else, but also IPv6 things are not
used to NAT being used, I'd expect much more breakage given that most
IPv6 stacks are likely not well tested in the presence of NAT. IPv4
things have learned how to accept ans handle NAT and some of that I'm
sure carries over to IPv6, but in IPv6 it's very much an edge case,
where it's the norm in IPv4.
I do understand the desire for a stateful firewall in the IPv6 context
and see them deployed at home/business/enterprise network edge pretty
much for every IPv6 enabled network, often with a carve-out for icmp,
but otherwise blocking all inbound traffic not matching an existing
connection initiated by the device behind the firewall. You may have
some reason you can't just employ a stateful firewall without NAT, but
if so you haven't said so and seem to have linked them as if they were
inseparable, a stateful firewall will block internet initiated traffic,
which seems to be the main goal you have, and it will not have the
negative side effects of NAT, though you do have the need to force
symmetrical routing at the point of the firewall and carry state (though
as long as routing symmetry is maintained a user's traffic can freely
use multiple firewalls for different traffic, say one for traffic headed
towards a content provider cache box and a different one for traffic
heading onto the general public internet, which may help with some
scaling considerations)
On 2/3/2025 3:14 PM, Amos Rosenboim via NANOG wrote:
Roland,
Thanks for your comments.
As much as I love to be a network purist who hates state maintenance in
the core of the network, the sad reality is that these devices are there
and will remain there for the foreseeable future.
Mobile operators need IPv4 address sharing and many of them choose to do
it with CGNAT.
Even with IPv6, many of the operators I know of do not allow internet
initiated traffic towards their subscribers.
Some of their reasons are even surprisingly valid, such as avoiding
unnecessary paging in the network.
Regardless of this, my original message as looking to get some
deployment feedback on NPTv6 in service provider networks.
Any such feedback is appreciated.
Cheers,
Amos
Sent from my iPhone
On 3 Feb 2025, at 14:41, Dobbins, Roland <roland.dobb...@netscout.com>
wrote:
*External sender - pay attention*
On Feb 3, 2025, at 17:03, Amos Rosenboim via NANOG <nanog@nanog.org>
wrote:
The requirement for state full traffic flow is given by the customer.
Organizations sometimes state that they’ve requirements in
specializesd contexts which are in fact counterproductive; in such
cases, they can often benefit from education in order to make
contextually optimal decisions.
The logic behind it is to avoid unnecessary paging procedures for
idle mobile devices.
‘Paging procedures’?
It protects both signaling resources of the network and also battery
life of devices.
There are other ways to accomplish this.
This was very relevant in the early 2000s, not sure if it’s relevant
for today.
It was a huge mistake in the late 1990s and early 2000s, as the early
GPRS and EDGE wireless broadband networks which were implemented in
the same fashion as poorly-designed, state-ridden enterprise networks
constantly experienced severe operational problems until they were
remediated, one way or another.
However it remains a customer requirement.
See above.
As for clients recovery from flow interruption - from incidents we
had in the last few years and observing how fast connection ramp up
on the alternate devices it seems that clients are recovering very
quickly.
Introducing stateful firewalls in front of a population of Internet
broadband clients is a Very Bad Idea. DDoS attacks are attacks agains
capacity and/or state; and outbound/crossbound attacks can be just as
disruptive as inbound attacks.
This precise scenario has played out many times, over the years.
Networks which were suboptimally designed in this fashion were either
completely re-designed in order to be scalable and resilient, removing
unnecessary and harmful state; were acquired and their brittle,
fragile, non-scalable state-ridden infrastructure was decommissioned;
or went out of business.
The few holdouts in the present day inevitably experience the problems
described above, and then proceed through the same evolution as other
network operators with similar architectures.
My main concern is that this customer has pretty traditional mind set
and never like being the first deployment of any technology.
NAT64/DNS64 with 464XLAT or something along these lines isn’t new
technology; on the contrary, it’s quite mature, and deployed around
the world. It isn’t stateless, but it’s much more scalable than
sticking stateful firewalls everywhere, heh.
Designing and implementing a broadband access network with this sort
of architecture isn’t going to end well. It isn’t beyond the realm of
possibility that these ‘requirements’ are largely driven by a supplier
of stateful firewalls, or an internal advocate for same.
If you have received this e-mail in error, please notify the system
manager. This message contains confidential information and is intended
only for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please notify
the sender immediately by e-mail if you have received this e-mail by
mistake and delete this e-mail from your system. If you are not the
intended recipient you are notified that disclosing, copying,
distributing or taking any action in reliance on the content of this
information is strictly prohibited.
