nanog mailing list archives
Re: IPv6 uptake (was: The Reg does 240/4)
From: William Herrin <bill () herrin us>
Date: Sat, 17 Feb 2024 10:24:51 -0800
On Sat, Feb 17, 2024 at 10:03 AM Michael Thomas <mike () mtcc com> wrote:
On 2/16/24 5:37 PM, William Herrin wrote:What is there to address? I already said that NAT's security enhancement comes into play when a -mistake- is made with the network configuration. You want me to say it again? Okay, I've said it again.The implication being that we should keep NAT'ing ipv6 for... a thin veil of security. That all of the other things that NAT breaks is worth the trouble because we can't trust our fat fingers on firewall configs.
Hi Mike, There's no "we" here, no one-size-fits-all answer. Some folks evaluating their scenario with their details will conclude that NAT's security benefit outweighs its performance and functionality implications. Others evaluating other scenarios will reach different answers. For enterprise customers, you're talking about folks who've been doing NAT for two decades and have more recently implemented HTTPS capture and re-encryption in order to scan for malware in transit. Will many of them insist on NAT and its security enhancement when they get around to deploying IPv6? Bet on it. So, what happens when you try to tell such folks that they don't need NAT for security in IPv6? It contradicts their -correct- intuition that NAT has a security benefit, but because they can't quite nail down what's wrong with your claim, it leaves them unsure. And what do people who are unsure about an IPv6 deployment do? Nothing! They put it back on the shelf and return to it in a couple of years. Regards, Bill Herrin -- William Herrin bill () herrin us https://bill.herrin.us/
Current thread:
- Re: IPv6 uptake (was: The Reg does 240/4), (continued)
- Re: IPv6 uptake (was: The Reg does 240/4) Stephen Satchell (Feb 15)
- Re: IPv6 uptake (was: The Reg does 240/4) Jay R. Ashworth (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) sronan (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Ryan Hamel (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Brandon Butterworth (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Greg Skinner via NANOG (Feb 18)
- Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 18)
- Re: IPv6 uptake Nick Hilliard (Feb 18)