On Feb 4, 2025, at 12:26, Amos Rosenboim wrote:
What other problems do you anticipate ?
All the issues mentioned earlier in this thread.
There are multiple techniques available to ameliorate the side-effects of
aggressive scanning in a network using NAT64/DNS64 with 464XLAT.
Thank you.
I am not building it yet… still considering it.
The functional problems I am considering are in the fields of ALG.
What other problems do you anticipate ?
Regards
Sent from my iPhone
On 3 Feb 2025, at 22:21, Ca By wrote:
External sender - pay attention
On Mon, Feb 3, 2025 at 12:1
On 2/3/25 15:14, Amos Rosenboim via NANOG wrote:
Even with IPv6, many of the operators I know of do not allow internet
initiated traffic towards their subscribers.
Address translation is not required for this function. A stateless ACL
can do a lot to limit it especially combined with assignin
My CGNat domains for resi bb (dsl, cm, ftth) for IPv4 were created years
ago as MPLS-based L3VPN's. I've tested and proven an architecture where
by which, I advertise another BGP RT and allow the IPv6 dual stacked
portion to "flow around" the CGNat boundary and naturally route out to
the Inter
I feel like you are conflating two things, stateful firewalls and NPTv6
or any form of NAT, they are often done at the same box together, but
they are not inherently linked.
I dislike NAT in an IPv6 environment as I've generally not found a use
for it not better served by something else, but a
On Feb 4, 2025, at 03:14, Amos Rosenboim wrote:
As much as I love to be a network purist who hates state maintenance in the
core of the network, the sad reality is that these devices are there and will
remain there for the foreseeable future.
Not on reliable, resilient networks of any signifi
On Mon, Feb 3, 2025 at 12:15 PM Amos Rosenboim via NANOG
wrote:
> Roland,
>
> Thanks for your comments.
>
> As much as I love to be a network purist who hates state maintenance in
> the core of the network, the sad reality is that these devices are there
> and will remain there for the foreseeabl
Roland,
Thanks for your comments.
As much as I love to be a network purist who hates state maintenance in the
core of the network, the sad reality is that these devices are there and will
remain there for the foreseeable future.
Mobile operators need IPv4 address sharing and many of them choos
On Feb 3, 2025, at 17:03, Amos Rosenboim via NANOG wrote:
The requirement for state full traffic flow is given by the customer.
Organizations sometimes state that they’ve requirements in specializesd
contexts which are in fact counterproductive; in such cases, they can often
benefit from edu
Thank you Joshua for the quick and detailed response.
I agree with everything you mentioned below, and this is why we are
considering it.
To your questions and comments below:
The requirement for state full traffic flow is given by the customer.
The logic behind it is to avoid unnecessary pagi
Hi Amos,
Assuming the network segments adjacent to these stateful devices use
longest prefix match routing, NPTv6 is your best option.You'd assign a
unique IPv6 prefix as the NPTv6 prefix to each firewall, ensuring the
traffic returns to the correct firewall.
Keep in mind each stateful firewall i
Hi,
We are implementing an CGNAT + IPv6 firewall project for a mobile service
provider.
One of the project goals is to support scale out all active deployment of the
stateful devices.
One of the challenges of inserting these stateful devices into the network is
the requirement that all packet
12 matches
Mail list logo
