Re: Addressing plan exercise for our IPv6 course

[Mark Smith <nanog () 85d5b20a518b8f6864949bd940457dc124746ddc nosense org>]

On Thu, 22 Jul 2010 19:53:48 -0700
"Akyol, Bora A" <bora () pnl gov> wrote:

> As long as customers believe that having a NAT router/"firewall" in place is a security feature,
> I don't think anyone is going to get rid of the NAT box.

You need to separate the NAT function (or more specifically, Network
Address Port Translation (NAPT)), and the side effect of that operation
being a deny all for uninitiated inbound traffic. It is not a unique
property to NAPT, and in fact, stateful firewalling using public
addresses has been around as long as NAT (at least since 1995 IIRC).

> In all reality, NAT boxes do work for 99% of customers out there.

So would a firewall with public addressing. It's worked for me for 10+
years with IPv4, and 4+ years with IPv6.

Of course, it didn't protect me when I ran an email attachment that
contained malware, or when I clicked on one of those "PC check"
popups that installed an application. (well, not actually me, but a
large number of people do this, helping the attacker completely bypass
any "NAT security". Inviting the attacker in as though they were a
trusted guest makes the best locks in the world on the door a waste of
time.)

It seems you haven't done much with NAT to have encountered it's
limitations, or experienced the benefits of end-to-end connectivity
(ever had to stuff around with port forwarding, TURN, STUN etc. to get
VoIP working at home? I haven't, and I got to spend that time on
something else much more useful than fiddling with NAT work arounds.)

> Bora
>
>
> On 7/22/10 7:34 PM, "Owen DeLong" <owen () delong com> wrote:
>
>
> Well, wouldn't it be better if the provider simply issued enough space to
> make NAT66 unnecessary?
>
> Owen