[lacnog] A Disaster for IPv6 - Brought by Fortinet

[Fernando Frediani]

Hello all

I believe some have seen these news: 
https://weberblog.net/fortigate-enables-nat-for-ipv6-by-default-%F0%9F%A4%A6/

This looks a real disaster for IPv6. Something that was created to 
restore end-to-end connectivity, with a thoughtless decision has to the 
potential do change a lot in long term, given the context where Fortinet 
devices are used.
Hard to know what motivated Fortinet developers to do that, but you may 
imagine that as many IT administrators that manage these boxes have 
little clue about how to configure them for IPv6, they may have tried to 
make it simpler, maybe at the pressure of some high level person to 
"resolver the problem", came out with this very bad solution.

I wonder when such thing is decided internally if no one in the team 
raised the seriousness of it or if did, if it was overruled. I can't 
image this was a one person decision that went on unnoticed.

Although I NAT66 features may have a single usage now days which is to 
have redundancy among 2 broadband ISPs (as Homenet never worked as 
expected), such features, if they come embedded in the device's 
firmware, there should be proper warnings when enabling it and what 
should be used for.

Well, sad to see such thoughtless decisions from a vendor that is 
supposed to be specialized in turning RFCs and Best Practices into 
Enterprise Grade products with well informed technical and design decisions.

Fernando