nanog mailing list archives
Re: Addressing plan exercise for our IPv6 course
From: Mark Smith <nanog () 85d5b20a518b8f6864949bd940457dc124746ddc nosense org>
Date: Fri, 23 Jul 2010 13:45:17 +0930
On Thu, 22 Jul 2010 19:53:48 -0700 "Akyol, Bora A" <bora () pnl gov> wrote:
As long as customers believe that having a NAT router/"firewall" in place is a security feature, I don't think anyone is going to get rid of the NAT box.
You need to separate the NAT function (or more specifically, Network Address Port Translation (NAPT)), and the side effect of that operation being a deny all for uninitiated inbound traffic. It is not a unique property to NAPT, and in fact, stateful firewalling using public addresses has been around as long as NAT (at least since 1995 IIRC).
In all reality, NAT boxes do work for 99% of customers out there.
So would a firewall with public addressing. It's worked for me for 10+ years with IPv4, and 4+ years with IPv6. Of course, it didn't protect me when I ran an email attachment that contained malware, or when I clicked on one of those "PC check" popups that installed an application. (well, not actually me, but a large number of people do this, helping the attacker completely bypass any "NAT security". Inviting the attacker in as though they were a trusted guest makes the best locks in the world on the door a waste of time.) It seems you haven't done much with NAT to have encountered it's limitations, or experienced the benefits of end-to-end connectivity (ever had to stuff around with port forwarding, TURN, STUN etc. to get VoIP working at home? I haven't, and I got to spend that time on something else much more useful than fiddling with NAT work arounds.)
Bora On 7/22/10 7:34 PM, "Owen DeLong" <owen () delong com> wrote: Well, wouldn't it be better if the provider simply issued enough space to make NAT66 unnecessary? Owen
Current thread:
- Re: Addressing plan exercise for our IPv6 course, (continued)
- Re: Addressing plan exercise for our IPv6 course Karl Auer (Jul 21)
- Re: Addressing plan exercise for our IPv6 course Mark Smith (Jul 21)
- Re: Addressing plan exercise for our IPv6 course Mark Smith (Jul 21)
- Re: Addressing plan exercise for our IPv6 course Antonio M. Moreiras (Jul 21)
- Re: Addressing plan exercise for our IPv6 course Alex Band (Jul 22)
- Re: Addressing plan exercise for our IPv6 course Matthew Walster (Jul 22)
- Re: Addressing plan exercise for our IPv6 course Valdis . Kletnieks (Jul 22)
- Re: Addressing plan exercise for our IPv6 course Matthew Kaufman (Jul 22)
- Re: Addressing plan exercise for our IPv6 course Owen DeLong (Jul 22)
- Re: Addressing plan exercise for our IPv6 course Akyol, Bora A (Jul 22)
- Re: Addressing plan exercise for our IPv6 course Mark Smith (Jul 22)
- RE: Addressing plan exercise for our IPv6 course Frank Bulk - iName.com (Jul 22)
- Re: Addressing plan exercise for our IPv6 course Owen DeLong (Jul 22)
- Re: Addressing plan exercise for our IPv6 course Jens Link (Jul 23)
- Re: Addressing plan exercise for our IPv6 course Owen DeLong (Jul 23)
- Re: Addressing plan exercise for our IPv6 course Jens Link (Jul 25)
- Re: Addressing plan exercise for our IPv6 course Matthew Palmer (Jul 25)
- Re: Addressing plan exercise for our IPv6 course Antonio M. Moreiras (Jul 21)
- Re: Addressing plan exercise for our IPv6 course Akyol, Bora A (Jul 27)
- Re: Addressing plan exercise for our IPv6 course Owen DeLong (Jul 27)
- Re: Addressing plan exercise for our IPv6 course Mark Smith (Jul 29)
- Re: Addressing plan exercise for our IPv6 course Tim Franklin (Jul 29)