Re: Only 5x IPv4 /8 remaining at IANA

[Owen DeLong <owen () delong com>]

On Oct 18, 2010, at 8:47 AM, George Bonser wrote:

> > -----Original Message-----
> > From: Henning Brauer 
> > Sent: Monday, October 18, 2010 8:36 AM
> > To: nanog () nanog org
> > Subject: Re: Only 5x IPv4 /8 remaining at IANA
> >
> > instead of working on a viable alternative that doesn't suck.
> > Which is certainly possible.
>
> I would say that at this point it is too late to resist v6 deployment
> but it might be a good time to work on the "next thing" and use v6 as an
> example of how not to do it next time.
>
> It certainly is going to present some security challenges for some
> folks, particularly the ones that have been using dynamic nat pools to,
> in effect, block inbound connections. Firewall vendors are going to see
> a windfall from v6, I think.
>
> G

Nobody is using dynamic nat pools to block inbound connections.

Many people are using dynamic NAT on top of stateful inspection where
stateful inspection blocks inbound connections.

The good news is that stateful inspection doesn't go away in IPv6. It works
just fine. All that goes away is the header mangling.

It's really unfortunate that most people don't understand the distinction.
If they did, it would help them to realize that NAT doesn't actually do
anything for security, it just helps with address conservation (although
it has some limits there, as well).

IPv6 with SI is no less secure than IPv4 with SI+NAT. If you're worried
about address and/or topological obfuscation, then, IPv6 offers you
privacy addresses with rotating numbers. However, that's more a
privacy issue than a security issue, unless you believe in the idea
of security through obscurity which is pretty well proven false.

Owen