sronan, A subnet can come from the ISP (residential/small business), or business is utilizing BGP with their upstream. When V6 is in use, a firewall does not need to perform NAT, just stateful flow inspection and applying the applicable rules based on the zone and/or interface.
Bill, Depending on where that rule is placed within your ACL, yes that can happen with *ANY* address family. --- All things aside, I agree with Dan that NAT was never ever designed to be a security tool. It is used because of the scarcity of public address space, and it provides a "defense" depending on how it is implemented, with minimal effort. This video tells the story of NAT and the Cisco PIX, straight from the creators https://youtu.be/GLrfqtf4txw Ryan Hamel ________________________________ From: NANOG <nanog-bounces+ryan=rkhtech....@nanog.org> on behalf of sro...@ronan-online.com <sro...@ronan-online.com> Sent: Friday, February 16, 2024 5:44 PM To: William Herrin <b...@herrin.us> Cc: nanog@nanog.org <nanog@nanog.org> Subject: Re: IPv6 uptake (was: The Reg does 240/4) Caution: This is an external email and may be malicious. Please take care when clicking links or opening attachments. Why is your Internal v6 subnet advertised to the Internet? > On Feb 16, 2024, at 8:08 PM, William Herrin <b...@herrin.us> wrote: > > On Fri, Feb 16, 2024 at 3:13 PM Michael Thomas <m...@mtcc.com> wrote: >> If you know which subnets need to be NAT'd don't you also know which >> ones shouldn't exposed to incoming connections (or conversely, which >> should be permitted)? It seems to me that all you're doing is moving >> around where that knowledge is stored? Ie, DHCP so it can give it >> private address rather than at the firewall knowing which subnets not to >> allow access? Yes, DHCP can be easily configured to make everything >> private, but DHCP for static reachable addresses is pretty handy too. > > Hi Mike, > > Suppose I have a firewall at 2602:815:6000::1 with an internal network > of 2602:815:6001::/64. Inside the network on 2602:815:6001::4 I have a > switch that accepts telnet connections with a user/password of > admin/admin. On the firewall, I program it to disallow all Internet > packets to 2602:815:6001::/64 that are not part of an established > connection. > > Someone tries to telnet to 2602:815:6001::4. What happens? Blocked. > > Now, I make a mistake on my firewall. I insert a rule intended to > allow packets outbound from 2602:815:6001::4 but I fat-finger it and > so it allows them inbound to that address instead. Someone tries to > telnet to 2602:815:6001::4. What happens? Hacked. > > Now suppose I have a firewall at 199.33.225.1 with an internal network > of 192.168.55.0/24. Inside the network on 192.168.55.4 I have a switch > that accepts telnet connections with a user/password of admin/admin. > On the firewall, I program it to do NAT translation from > 192.168.55.0/24 to 199.33.225.1 when sending packets outbound, which > also has the effect of disallowing inbound packets to 192.168.55.0/24 > which are not part of an established connection. > > Someone tries to telnet to 192.168.55.4. What happens? The packet > never even reaches my firewall because that IP address doesn't go > anywhere on the Internet. > > Now I make a mistake on my firewall. I insert a rule intended to allow > packets outbound from 192.168.55.4 but I fat-finger it and so it > allows them inbound to that address instead. Someone tries to telnet > to 192.168.55.4. What happens? The packet STILL doesn't reach my > firewall because that IP address doesn't go anywhere on the Internet. > > See the difference? Accessible versus accessible and addressable. Not > addressable enhances security. > > Regards, > Bill Herrin > > > -- > William Herrin > b...@herrin.us > https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbill.herrin.us%2F&data=05%7C02%7Cryan%40rkhtech.org%7C5672986956c34e345fd208dc2f5a571c%7C81c24bb4f9ec4739ba4d25c42594d996%7C0%7C0%7C638437312255883842%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=iuKWxWts%2B9buTCz318C7hz6DbuWSST%2FKPZAWbbhSj8Q%3D&reserved=0<https://bill.herrin.us/>