-----BEGIN PGP SIGNED MESSAGE----- Benny Amorsen wrote:
> On 2003-10-21 at 14:15, Todd T. Fries wrote: > > > I'm sorry to reply late to this, but I can't help but realize that > > NAT+IPv4 vs IPv6+firewall can be equivalent in `isolation'. Simply > > `block in all' and `pass out on $ext_if keep state' (in the pf terms of > > OpenBSD) and in two rules you have the same isolation of a NAT+IPv4 as > > you do with IPv6+firewall. > > Imagine that two internal hosts are communicating in your > scenario. They have a TCP connection running for weeks. > Then the outside connection to > the Internet breaks and is brought back up, but assigned a different > address. In the IPv4+NAT case hosts that only contact other > hosts on the internal network do not notice the failure at all. > In the IPv6+firewall case the new addresses are provided to the > hosts and eventually the old > addresses time out -- and the internal TCP connection breaks. Ouch. As long as the IP addresses are not deconfigured this is no problem The "old" IP addresses are deprecated for use, 'old' connections stay up, but the new IP is used for new connections. Note that ofcourse you will need to update DNS and such. Last week I saw a good example of this. In May 2003 we transitioned the Concepts POP from to RIPE addresses by allowing both the old and new prefix to be used until June 1st after which we reconfigged the ingress filter, allowing only the delegated RIPE space and dropping and logging the rest. Even upto last month connections where seen coming from the 6bone space from one person who still had machines running which where not reconfigured and thus still used the old prefix in his local setup. I think IPv6 works perfectly well in cases like these ;) Neeeeeeexxxt reason why NAT is so good..... which it really isn't. It indeed has some advantages but most problems outweigh those with ease. Greets, Jeroen -----BEGIN PGP SIGNATURE----- Version: Unfix PGP for Outlook Alpha 13 Int. Comment: Jeroen Massar / [EMAIL PROTECTED] / http://unfix.org/~jeroen/ iQA/AwUBP5U3RCmqKFIzPnwjEQJ6GgCZAV1jHd/+iCUX/Zb2QBR4ki7xpDUAoIP8 ST7IRo2QGmcgJ03w0DNILuau =LiAZ -----END PGP SIGNATURE----- -------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
