nanog mailing list archives
Re: IPv6 uptake (was: The Reg does 240/4)
From: "Jay R. Ashworth" <jra () baylink com>
Date: Fri, 16 Feb 2024 23:18:55 +0000 (UTC)
----- Original Message -----
From: "William Herrin" <bill () herrin us>
On Fri, Feb 16, 2024 at 2:19 PM Jay R. Ashworth <jra () baylink com> wrote:From: "Justin Streiner" <streinerj () gmail com> 4. Getting people to unlearn the "NAT=Security" mindset that we were forced to accept in the v4 world.NAT doesn't "equal" security. But it is certainly a *component* of security, placing control of what internal nodes are accessible from the outside in the hands of the people inside.Every firewall does that. What NAT does above and beyond is place control of what internal nodes are -addressable- from the outside in the hands of the people inside -- so that most of the common mistakes with firewall configuration don't cause the internal hosts to -become- accessible. The distinction doesn't seem that subtle to me, but a lot of folks making statements about network security on this list don't appear to grasp it.
You bet. I knew someone would chime in, but whether they'd be agreeing with me -- as you are -- or yelling at me, wasn't clear. It's a default deny (NAT) vs default allow (firewall) question, and I prefer default deny -- at least inbound. You *can* run NAT as default deny outbound, too, but it's much less tolerable for general internet connectivity -- in some dedicated circumstances, it can be workable. Cheers, -- jra -- Jay R. Ashworth Baylink jra () baylink com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Current thread:
- Re: IPv6 uptake (was: The Reg does 240/4), (continued)
- Re: IPv6 uptake (was: The Reg does 240/4) Justin Streiner (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Steven Sommars (Feb 18)
- Re: IPv6 uptake Stephen Satchell (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Tom Beecher (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- RE: IPv6 uptake (was: The Reg does 240/4) Howard, Lee via NANOG (Feb 19)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 19)
- Re: IPv6 uptake (was: The Reg does 240/4) Jay R. Ashworth (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Matthew Walster via NANOG (Feb 18)
- Re: IPv6 uptake (was: The Reg does 240/4) Daniel Marks via NANOG (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake Michael Thomas (Feb 17)
- Re: IPv6 uptake Mike Hammett (Feb 19)
- Re: IPv6 uptake William Herrin (Feb 19)
- Re: IPv6 uptake Mike Hammett (Feb 19)
- Re: [External] Re: IPv6 uptake Hunter Fuller via NANOG (Feb 19)
- Re: [External] Re: IPv6 uptake Dave Taht (Feb 19)