[lacnog] A Disaster for IPv6 - Brought by Fortinet

Fernando Gont fgont en si6networks.com
Mar Jun 9 05:12:41 -03 2026 

Hi, Fernando,

On 08/06/2026 23:50, Fernando Frediani wrote:
> Hi Fernando
> 
> I would respectfully disagree on some points.
> It is a firewall/router device which should still be conceived to work 
> as expected, according to RFCs and Best Practices well established.

The IETF has generally been against firewalls, and neglected and/or 
pushed against their existence as much as possible -- so not sure what 
you mean by "work as expected" or well-established BCPs.



> If 
> they don't understand, then it doesn't seem to be the best way throw it 
> under the carpet doing an automatic NAT66 out-of-the-box to make it work.
> 
> Behavior should not be to do the right thing and have the device working 
> as expected only if you know better. 

Expected by whom? - If you are a firewall vendor, it's actually a 
sensible approach that you fail on the safe side.

(I personally don't care about this specific vendor, or even their 
default setting... but at the same time, this "crusade" against their 
default settings doesn't make much sense to me).



> Vendor needs to have responsibility 
> to push to it to market as well, not just try to resolve a problem at 
> short term and risk causing a misconception in long term, specially to 
> those who still need to know better.

A vendor is there to sell devices. It's a company -- with the main goal 
of making profit... not an educational non-profit meant to educate people.

And if you want to get into an architectural debate, you may start by 
blaming the IETF itself, that happily passed this: 
https://datatracker.ietf.org/group/iesg/appeals/artifact/46



> Doing NAT66 using the WAN addresses will generate more "native" IPv6 
> traffic towards the Internet, but at what cost ? Getting thousands of IT 
> administrators to set the believe that is the right way of doing it and 
> not having to worry about each device having its Global Unicast Address ?

There's no such a thing as "the right way". -- If anything, you may 
argue "as originally envisioned".

But the "originally envisioned" part dates back to 30 years ago, when 
the Internet had a completely different role in society, economy, etc.

I will definitely argue that, in the modern world, the "originally 
envisioned" idea of assigning a global address to every single endpoint, 
and let every host talk to every other host is not only unrealistic, but 
also undesirable.  -- as much as leaving your door open in any major 
city of this continent.   (would be great otherwise, but...)



> I understand the point of something is better than nothing, but in the 
> other hand I think we all, including vendors, need to endeavor to get 
> the things in the correct way and even if you have to do something far 
> from ideal, at least use that opportunity to bring knowledge to whoever 
> needs it.

In the context of a company, every activity is (or at least should be) 
usually preceded by the question "What problem are you trying to solve?".

In such context, if you are not solving any problems, and you're 
diverging from what people are used to, you're buying both yourself and 
your company a problem. -- particularly for the vast majority of 
organizations, for which IPv6 is not in the top-10 or top-N priorities.

If NAT66 allows the network to function in a way that is well 
understood, and allows an entire team to be able to troubleshoot a 
network problem, eliminates issues like slaac-renum, etc, you call it a 
day, and move to the next item in your TODO list. (Of course, in other 
contexts you might and/or should deploy it differently)

Same thing applies to other religious debates that happen at the IETF, 
such as slaac vs. dhcpv6. -- you should have both options, and let folks 
pick whatever they please (couldn't care less about the specific 
choice.... works for you? - works for me).

TLDR; One would have expected that, after 30+ years, the community would 
have adjusted expectations and embraced what might have been considered 
undesirable or "unacceptable" 30 years ago. However, there's still a big 
community that prefers to stick to ideas that originated 30 years ago, 
reject solving known problems, and celebrate single-digit increases in 
IPv6 deployment.


-- 
Fernando Gont
SI6 Networks
e-mail: fgont en si6networks.com
PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494

Más información sobre la lista de distribución LACNOG