nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IPv6 uptake (was: The Reg does 240/4)

From: William Herrin <bill () herrin us>
Date: Sat, 17 Feb 2024 10:24:51 -0800
On Sat, Feb 17, 2024 at 10:03 AM Michael Thomas <mike () mtcc com> wrote:

On 2/16/24 5:37 PM, William Herrin wrote:

What is there to address? I already said that NAT's security
enhancement comes into play when a -mistake- is made with the network
configuration. You want me to say it again? Okay, I've said it again.


The implication being that we should keep NAT'ing ipv6 for... a thin
veil of security. That all of the other things that NAT breaks is worth
the trouble because we can't trust our fat fingers on firewall configs.


Hi Mike,

There's no "we" here, no one-size-fits-all answer. Some folks
evaluating their scenario with their details will conclude that NAT's
security benefit outweighs its performance and functionality
implications. Others evaluating other scenarios will reach different
answers.

For enterprise customers, you're talking about folks who've been doing
NAT for two decades and have more recently implemented HTTPS capture
and re-encryption in order to scan for malware in transit. Will many
of them insist on NAT and its security enhancement when they get
around to deploying IPv6? Bet on it.

So, what happens when you try to tell such folks that they don't need
NAT for security in IPv6? It contradicts their -correct- intuition
that NAT has a security benefit, but because they can't quite nail
down what's wrong with your claim, it leaves them unsure. And what do
people who are unsure about an IPv6 deployment do? Nothing! They put
it back on the shelf and return to it in a couple of years.

Regards,
Bill Herrin


-- 
William Herrin
bill () herrin us
https://bill.herrin.us/
Previous By Date Next
Previous By Thread Next

Current thread: