[Freeswitch-users] NAT traversal - the final say..!

Andrew Cassidy andrew at cassidywebservices.co.uk
Thu Dec 27 17:45:10 MSK 2012


Also if you're even thinking about using NAT for IPv6, you're doing it
wrong and are still thinking of NAT as a useful mechanism which suggests
you're not looking at IPv6 with a completely fresh mindset. Yes there are
v4/v6 similarities, but they are few and far between. Any problems caused
by a missing feature in v6 are because that feature in v4 is BAD.

For example, people use NAT as a security mechanism. This is
bad, because it's not. NAPT even violates the OSI model.

If you want services to only be accessible privately, assign both private
and public address and use your host and edge firewalls and listen
parameters on the service so that only connections from the local subnets
are allowed.

IPv6 specifies that all hosts generate a non-routeable link-local address
anyway. This makes perfect sense, as it brings ip-related layer 2 services
u to layer 3, making them link-type independent. One such example is DHCPv6.

There are also specifications for non-externally-routeable site-local
addresses, which are only routeable within the LAN but can
span multiple subnets. That's larger deployments taken care of.

The thing to remember is that IPv6 is designed for each host to have
multiple addresses, meaning you can have a link-local, site-local and
globally routeable IP address per host which can each be
secured independently. Manage it all correctly and there are no problems. A
subnet change should just mean that you need to update DNS records for your
external services and edge routers with the new subnet mask.

Just my 2 cents.

On 27 December 2012 14:25, Andrew Cassidy
<andrew at cassidywebservices.co.uk>wrote:

> if my subnet changes i only need to change ONE setting on my entire
> network.
>
>
> On 25 December 2012 07:35, Mimiko <vbvbrj at gmail.com> wrote:
>
>> On 25.12.2012 02:14, Scott wrote:
>>
>> > Anyone with medium to large addressable end-points in their
>> > installations really needs to look at implementing IPv6 WITH -- repeat
>> > WITH -- IPv6-NAT (and/or NAT64) in the mix.
>> >
>> I will use this when moving to ipv6. At my company we have two internet
>> and voip providers for fault tolerance and load balacing. Also for using
>> lowest cost per call. The plans are to have third internet and voip
>> provider.
>>
>> So using internal ipv6 for addressing and dynamically mapping to those,
>> provided by internet providers, is the only way to work.
>>
>> --
>> Mimiko desu.
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
>
> --
> *Andrew Cassidy BSc (Hons) MBCS SSCA*
> Managing Director
>
>
> *T <info at cassidywebservices.co.uk> *03300 100 960  *F<info at cassidywebservices.co.uk>
>  *03300 100 961
> *E <info at cassidywebservices.co.uk> *andrew at cassidywebservices.co.uk
> *W <info at cassidywebservices.co.uk> *www.cassidywebservices.co.uk
>



-- 
*Andrew Cassidy BSc (Hons) MBCS SSCA*
Managing Director


*T <info at cassidywebservices.co.uk> *03300 100 960
*F<info at cassidywebservices.co.uk>
 *03300 100 961
*E <info at cassidywebservices.co.uk> *andrew at cassidywebservices.co.uk
*W <info at cassidywebservices.co.uk> *www.cassidywebservices.co.uk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20121227/ce8df62d/attachment-0001.html 


Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list