nanog mailing list archives

Re: Rate of growth on IPv6 not fast enough?

From: Chris Adams <cmadams () hiwaay net>
Date: Tue, 20 Apr 2010 14:51:19 -0500

Once upon a time, Roger Marquis <marquis () roble com> said:

Address conservation aside, the main selling point of NAT is its filtering 
of inbound
session requests.  NAT _always_ fails-closed by forcing inbound connections 
to pass
validation by stateful inspection.  Without this you'd have to depend on 
less
reliable (fail-open) mechanisms and streams could be initiated from the 
Internet at
large.  In theory you could enforce fail-closed reliably without NAT, but 
the rules
would have to be more complex and complexity is the enemy of security.


NAT == stateful firewall + packet mangling.  You can do all the same
stateful firewall bits and drop the packet mangling quite easily (it is
certainly not "more complex" to not mangle packets).

-- 
Chris Adams <cmadams () hiwaay net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

Current thread:

Re: Rate of growth on IPv6 not fast enough?, (continued)
- - Re: Rate of growth on IPv6 not fast enough? Owen DeLong (Apr 20)
    - Re: Rate of growth on IPv6 not fast enough? Mark Smith (Apr 20)
  - Re: Rate of growth on IPv6 not fast enough? joel jaeggli (Apr 20)
    - Re: Rate of growth on IPv6 not fast enough? Joe Abley (Apr 20)
  - Re: Rate of growth on IPv6 not fast enough? Mark Smith (Apr 20)
    - Re: Rate of growth on IPv6 not fast enough? Doug Barton (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Roger Marquis (Apr 20)
  - Re: Rate of growth on IPv6 not fast enough? Jack Bates (Apr 20)
    - Re: Rate of growth on IPv6 not fast enough? Owen DeLong (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Roger Marquis (Apr 20)
  - Re: Rate of growth on IPv6 not fast enough? Chris Adams (Apr 20)
  - Re: Rate of growth on IPv6 not fast enough? Joe Abley (Apr 20)
    - Re: Rate of growth on IPv6 not fast enough? Owen DeLong (Apr 20)
    - Re: Rate of growth on IPv6 not fast enough? Daniel Senie (Apr 20)
  - Re: Rate of growth on IPv6 not fast enough? Owen DeLong (Apr 20)
    - Re: Rate of growth on IPv6 not fast enough? Mark Smith (Apr 20)
    - Re: Rate of growth on IPv6 not fast enough? Dave Pooser (Apr 20)
    - Re: Rate of growth on IPv6 not fast enough? Owen DeLong (Apr 20)
    - Re: Rate of growth on IPv6 not fast enough? Mark Smith (Apr 21)
    - Re: Rate of growth on IPv6 not fast enough? Jim Burwell (Apr 21)
    - Re: Rate of growth on IPv6 not fast enough? Dave Sparro (Apr 21)

(Thread continues...)