[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nanog
Subject:    Re: AWS and IPv6
From:       William Herrin <bill () herrin ! us>
Date:       2021-11-29 2:23:03
Message-ID: CAP-guGUuiMDoW=9tH8+r5PAVbyPKAwdQZ7qn=0gvhuS-eZPTkQ () mail ! gmail ! com
[Download RAW message or body]

On Sun, Nov 28, 2021 at 4:13 PM William Herrin <bill@herrin.us> wrote:
> Yeah, they don't even have a practical way to implement a firewall
> instance for IPv6. Unless you want to mirror 1:many NAT for IPv6 like
> you do IPv4. You just can't route an IPv6 block to an instance. And
> with 1:many NAT you wouldn't want public IP addresses inside but AWS
> doesn't let you assign ULA addresses inside the subnet, only global
> addresses.

I stand corrected on this.

https://aws.amazon.com/blogs/aws/inspect-subnet-to-subnet-traffic-with-amazon-vpc-more-specific-routing/


https://aws.amazon.com/blogs/aws/new-vpc-ingress-routing-simplifying-integration-of-third-party-appliances/


This technique does in fact work for IPv6, allowing you to insert a
firewall at the edge. Interestingly though, it won't receive IPv6
packets for an address that isn't attached to a running instance in
the interior subnet.

Regards,
Bill Herrin

-- 
William Herrin
bill@herrin.us
https://bill.herrin.us/


[prev in list] [next in list] [prev in thread] [next in thread]