Re: Time to let go of ipfilter
On Sat, Jan 22, 2011 at 08:04:17PM +1100, Edward O'Callaghan wrote:
> more my point, +1
> to EOL'ing older solutions that are no longer maintained or scalable.
> One of the things that I myself consider a 'feature' of Dragonfly is
> less old junk running in kernel space (both important on a security
> and stability stand point) and a less bulky userland.
Can't agree more.
Speaking of future packet filtering improvements, we also need NAT64
support.
Traditional NAT maps IP adresses between two IPv4 spaces; we may call
it NAT44 (IPv4 to IPv4).
NAT64 maps IPv4 addresses to an IPv6 space. It allows you to run an
IPv6 only network and still have access to legacy IPv4 resources.
It works in combination with a special DNS64 resolver which translates
A records to AAAA. AFAIK, DNS64 support is implemented in new versions
of most of the leading DNS daemons (Bind, Unbound, etc...).
DNS64/NAT64 is already used by some ISPs. I tested Andrews & Arnold's
gateway for a brief time; it worked flawlessly:
http://aaisp.net.uk/kb-broadband-ipv6-nat64.html
This technology allows you to shut down IPv4 on your network today and
still be operational.
There are patches for OpenBSD 4.6 pf here:
http://ecdysis.viagenie.ca/index.html
Some links on this subject:
http://www.networkworld.com/community/blog/testing-nat64-and-dns64
http://www.viagenie.ca/publications/2009-11-06-3gpp-ietf-ipv6-shanghai-nat64.pdf
--
Francois Tigeot
討論串 (同標題文章)
完整討論串 (本文為第 12 之 23 篇):