Re: Assigning IPv6 /48's to CPE's?

["Tim Franklin" <tim () pelican org>]

On Thu, January 3, 2008 3:17 pm, William Herrin wrote:

> In my ever so humble opinion, IPv6 will not reach significant
> penetration at the customer level until NAT has been thoroughly
> implemented. Corporate information security officers will insist.
> Here's the thing: a stateful non-NAT firewall is automatically less
> secure than a stateful translating firewall. Why? Because a mistake
> configuring a NAT firewall breaks the network causing everything to
> stop working while a mistake with a firewall that does no translation
> causes data to flow unfiltered. Humans being humans, mistakes will be
> made. The first failure mode is highly preferable.

Only assuming the nature of your mistake is 'turn it off'.

I can fat-finger a 'port-forward *all* ports to important internal
server', rather than just '80/TCP' pretty much exactly as easily as I can
fat-finger 'permit *all* external to important internal server' rather
than just '80/TCP'.

Which failure mode is more acceptable is going to depend on the business
in question too.  If 'seconds connected to the Internet' is a direct
driver of 'dollars made', spending a length of time exposed (risk of loss)
while fixing a config error may well be preferable to spending a length of
time disconnected (actual loss).

I'll grant the 'everything is disconnected' case is easier to spot, though
- especially if you don't have proper change management to test that the
change you made is the change you think you made.

Regards,
Tim.