nanog mailing list archives
Re: NIST IPv6 document
From: Jeff Kell <jeff-kell () utc edu>
Date: Mon, 10 Jan 2011 19:22:46 -0500
On 1/10/2011 6:55 PM, Owen DeLong wrote:
Nonetheless, NAT remains an opaque screen door at best. If the bad guy is behind the door, it helps hide him. If the bad guy is outside the door, the time it takes for his knife to cut through it is so small as to be meaningless.
For a "server" expected to be open to anyone, anywhere, anytime... yes. Otherwise no. NAT overload (many to 1), and 1-to-1 NAT with some timeout value both serve to disconnect the potential targets from the network, absent any static NAT or port mapping (for "servers"). RFC-1918 behind NAT insures this (notwithstanding pivot attacks). It is a decreasing risk, given the typical user initiated compromise of today (click here to infect your computer), but a non-zero one. The whole IPv6 / no-NAT philosophy of "always connected and always directly addressable" eliminates this layer. Jeff
Current thread:
- Re: NIST IPv6 document, (continued)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Joe Greco (Jan 05)
- Re: NIST IPv6 document Matthew Petach (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Joe Greco (Jan 06)
- Re: NIST IPv6 document Dobbins, Roland (Jan 06)
- Re: NIST IPv6 document David Sparro (Jan 07)
- Re: NIST IPv6 document Lamar Owen (Jan 10)
- Re: NIST IPv6 document mikea (Jan 10)
- Re: NIST IPv6 document Owen DeLong (Jan 10)
- Re: NIST IPv6 document Jeff Kell (Jan 10)
- Re: NIST IPv6 document Valdis . Kletnieks (Jan 10)
- Re: NIST IPv6 document Jack Bates (Jan 10)
- Re: NIST IPv6 document Owen DeLong (Jan 10)
- Re: NIST IPv6 document Valdis . Kletnieks (Jan 11)
- Re: NIST IPv6 document Jack Bates (Jan 11)
- Re: NIST IPv6 document Owen DeLong (Jan 10)
- Re: NIST IPv6 document Joel Jaeggli (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Jeff Wheeler (Jan 06)
- Re: NIST IPv6 document Joel Jaeggli (Jan 06)