nanog mailing list archives
Re: Assigning IPv6 /48's to CPE's?
From: "Tim Franklin" <tim () pelican org>
Date: Thu, 3 Jan 2008 16:25:31 -0000 (GMT)
On Thu, January 3, 2008 3:17 pm, William Herrin wrote:
In my ever so humble opinion, IPv6 will not reach significant penetration at the customer level until NAT has been thoroughly implemented. Corporate information security officers will insist. Here's the thing: a stateful non-NAT firewall is automatically less secure than a stateful translating firewall. Why? Because a mistake configuring a NAT firewall breaks the network causing everything to stop working while a mistake with a firewall that does no translation causes data to flow unfiltered. Humans being humans, mistakes will be made. The first failure mode is highly preferable.
Only assuming the nature of your mistake is 'turn it off'. I can fat-finger a 'port-forward *all* ports to important internal server', rather than just '80/TCP' pretty much exactly as easily as I can fat-finger 'permit *all* external to important internal server' rather than just '80/TCP'. Which failure mode is more acceptable is going to depend on the business in question too. If 'seconds connected to the Internet' is a direct driver of 'dollars made', spending a length of time exposed (risk of loss) while fixing a config error may well be preferable to spending a length of time disconnected (actual loss). I'll grant the 'everything is disconnected' case is easier to spot, though - especially if you don't have proper change management to test that the change you made is the change you think you made. Regards, Tim.
Current thread:
- RE: Assigning IPv6 /48's to CPE's?, (continued)
- RE: Assigning IPv6 /48's to CPE's? michael.dillon (Jan 03)
- RE: Assigning IPv6 /48's to CPE's? Donald Stahl (Jan 03)
- RE: Assigning IPv6 /48's to CPE's? michael.dillon (Jan 03)
- RE: Assigning IPv6 /48's to CPE's? Donald Stahl (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? Donald Stahl (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? Chris Adams (Jan 03)
- RE: Assigning IPv6 /48's to CPE's? michael.dillon (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? Mark Andrews (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? Donald Stahl (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? William Herrin (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? Tim Franklin (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? William Herrin (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? Mark Smith (Jan 04)
- Re: Assigning IPv6 /48's to CPE's? Vinny Abello (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? Valdis . Kletnieks (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? Rick Astley (Jan 04)
- Re: Assigning IPv6 /48's to CPE's? James Hess (Jan 04)
- Re: Assigning IPv6 /48's to CPE's? Valdis . Kletnieks (Jan 04)
- Re: Assigning IPv6 /48's to CPE's? Jeff Aitken (Jan 07)
- Re: Assigning IPv6 /48's to CPE's? Valdis . Kletnieks (Jan 07)
- Re: Assigning IPv6 /48's to CPE's? Deepak Jain (Jan 07)