On Wed, 3 Jul 2024, Brian E Carpenter wrote:
There is NATv6 but it's not widely used. It is not hard to set up an
IPv6 firewall with the same kind of protection you normally get from
NAT. I've done it. But it's not the same as NAT so I suppose it seems
harder.
I'm not really sure why, because the things a firewall has to look for are
very similar for IPv4 and IPv6. The only case where no-NAT is at a real
disadvantage is for topology hiding. There are enterprises that care
about that.
Sort of. I suppose someone might care that you can tell that two services
behind the firewall are on the same machine, but if you care about that,
give each service a separate address. On my network 2001:470:1f07:1126::
there are 74 active IPv6 addresses and I don't think it's easy to tell how
many physical machines that is.
For operations within an enterprise, that's clearly true. For
public access outside the DMZ, being accessible via IPv6 will, I think,
be an increasing advantage as deployment of IPv6 at the consumer edge
continues to increase.
Given how hostile consumer ISPs are to retail customers runing servers
visible to the public, I don't get it. It makes P2P stuff somewhat easier
but UPNP and STUN already let you do a lot of it from behind a NAT.
R's,
John
