Wednesday, January 28, 2009

IPv6 NAT

During my last ITO project I worked on a solution to implement some kind of NAT
for IPv6. Packet-mangling solutions such as netfilter are missing IPv6 NAT for a good
reason: One of IPv6' design goals was the end-to-end principle and NAT often puts
people in the wrong feeling of security. NAT is one major reason why VoIP-breakhrough
came so late.
However, transparent proxying and redirection of connections is also done via NAT,
and thats where NAT for IPv6 makes sense: to setup SPAM-traps, transparent
virii-scanning or HTTP proxies. My solution works on Linux kernels >= 2.6.14,
running as a normal user-space daemon.

Wednesday, January 7, 2009

Happy new 2009!

Recent 25c3 was a funny event, although I missed a couple of friends to talk to.

So, I could use some time-slots to talk to the OpenBSD folks about security,
which is always funny. Beside our differences about the meaning of exploitability,
they nevertheless do a good job and I highly respect their voluntary work, in
particular in a $$-driven (security-)world. Even on such event, about 2/3 of
the folks only talk about $$ and what kind of customer is waiting for new
'solutions'.
Thanks to the french telco guys for the free beer and the funny stories.