nanog mailing list archives
Re: IPv6 uptake
From: Michael Thomas <mike () mtcc com>
Date: Sat, 17 Feb 2024 10:50:46 -0800
On 2/17/24 10:26 AM, Owen DeLong via NANOG wrote:
On Feb 16, 2024, at 14:20, Jay R. Ashworth <jra () baylink com> wrote: ----- Original Message -----From: "Justin Streiner" <streinerj () gmail com> 4. Getting people to unlearn the "NAT=Security" mindset that we were forced to accept in the v4 world.NAT doesn't "equal" security. But it is certainly a *component* of security, placing control of what internal nodes are accessible from the outside in the hands of the people inside.Uh, no… no it is not. Stateful inspection (which the kind of NAT (actually NAPT) you are assuming here depends on) is a component of security. You can do stateful inspection without mutilating the header and have all the same security benefits without losing or complicating the audit trail.
Exactly. As I said elsewhere, the security properties of NAT were a post-hoc rationalization. In the mean time, it has taken on its own life as if not NAT'ing (but still having stateful firewalls) would end the known security universe. We can seriously lose NAT for v6 and not lose anything of worth.
Mike
Current thread:
- Re: IPv6 uptake (was: The Reg does 240/4), (continued)
- Re: IPv6 uptake (was: The Reg does 240/4) Tom Beecher (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- RE: IPv6 uptake (was: The Reg does 240/4) Howard, Lee via NANOG (Feb 19)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 19)
- Re: IPv6 uptake (was: The Reg does 240/4) Jay R. Ashworth (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Matthew Walster via NANOG (Feb 18)
- Re: IPv6 uptake (was: The Reg does 240/4) Daniel Marks via NANOG (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake Michael Thomas (Feb 17)
- Re: IPv6 uptake Mike Hammett (Feb 19)
- Re: IPv6 uptake William Herrin (Feb 19)
- Re: IPv6 uptake Mike Hammett (Feb 19)
- Re: [External] Re: IPv6 uptake Hunter Fuller via NANOG (Feb 19)
- Re: [External] Re: IPv6 uptake Dave Taht (Feb 19)
- Re: [External] Re: IPv6 uptake Hunter Fuller via NANOG (Feb 19)
- Re: [External] Re: IPv6 uptake Dave Taht (Feb 19)
- Re: [External] Re: IPv6 uptake William Herrin (Feb 19)
- Re: [External] Re: IPv6 uptake Hunter Fuller via NANOG (Feb 19)
- Re: [External] Re: IPv6 uptake William Herrin (Feb 19)