Skip to main content

Posts

Showing posts from April, 2024

IPv6 - Can We Turn the Global Network into a Firewall Protecting All End Users?

One recurring argument against implementing IPv6 in campus networks is the absence of Network Address Translation (NAT). While NAT is perceived as a security mechanism in IPv4, we need to rethink our approach when working with IPv6. Instead of relying on NAT, we can leverage firewalls to safeguard endpoints. In IPv6, every device receives a routable address. To protect endpoints effectively, we require firewalls to filter unwanted traffic.   But what if we could stop such traffic at the source?   Could this approach convince more people toward adopting IPv6?   According to RFC 7381: “In a /48 assignment, typical for a site, there are then still 65,535 /64 blocks.” and “All user access networks should be a /64.”   Can we use then bit 63 to convey a message: “I don’t want any incoming traffic initiated towards me!!!”? Of course response would be accepted.   We could divide the /64 allocations into two groups: one for servers, and these accept incoming traffic (bi...