Network isolation with IPv6

It is my understanding that network address translation (NATing) goes away with IPv6. How do we isolate network resources to those that need them from the rest of the internet? I am specifically thinking about allowing access to internal network resources like file servers or VM hosts to remote users, such as those working from home.

A similar scenario also comes up in IPv4 today. At many universities, including my own, each network device gets a publicly routable IP. I'd like to run a file server, but don't really want it publicly accessible. Ideally it too would have a public IP and VPN would not be necessary.

Comments?


Solution 1:

How do we isolate network resources to those that need them from the rest of the internet?

That's what stateful firewalls are for. The isolation that NAT provides really provides only a false sense of security, and is not good for anything other than security by obscurity.

That said, while NAT will needed on a much less frequent basis after migration to IPv6, it's not going away anytime soon. In fact, for better or worse, NATv6 implementations already exist and are in production in various organizations today.

Just because a device has a public IP address does not mean in any way that it's publically-accessible. Your default firewall policy should be default deny, and then only allow traffic to/from specific ports or subnets as needed.

Solution 2:

You can use unique local addresses for resources that shouldn't be available on the public Internet. The ULA range is fc00::/7, which is outside the global range (2000::/3).