Re: misunderstanding scale

[Mark Tinka <mark.tinka () seacom mu>]

On Monday, March 24, 2014 02:56:13 PM Timothy Morizot wrote:

> NAT traversal is and has long been fairly trivial. NAT
> and RFC1918 provides no meaningful host protection
> whatsoever and never has. The only thing that limits
> direct access to internal networks is a stateful
> firewall. (Well, IPS can also drop packets.) That's true
> for IPv4 and for IPv6. So an enterprise relying n NAT44
> and RFC1918 for internal host protection instead of a
> stateful firewall already has no meaningful security in
> place.

Don't disagree with you there.

I'm saying many an enterprise (small and large) as well as 
homes operate this way. There is a lot of unlearning to do.

The whole issue is that a number of enterprises "may" only 
feel safe if IPv6 comes with NAT66, probably on top (or not 
on top) of a stateful IPv6 firewall.

We need to think about how to re-train the enterprise, if we 
don't want to repeat the erasure of the end-to-end model, 
second time around.

Mark.

Attachment: signature.asc
Description: This is a digitally signed message part.