nanog mailing list archives
Re: Cool IPv6 Stuff
From: Donald Stahl <don () calis blacksun org>
Date: Mon, 4 Jun 2007 11:37:11 -0400 (EDT)
Even people I have spoken that understand the difference between firewalling/reachability and NATing are still in favour of NAT. The argument basically goes "Yes, I understand that have a public address does not neccessarily mean being publically reachable. But having a private address means that [inbound] public reachability is simply not possible without explicit configuration to enable it". i.e. NAT is seen as a extra layer of security.Far too many "security" folks are dictating actual implementation details and that's fundamentally wrong.I want NAT to die but I think it won't.
A security policy should read "no external access to the network" and it should be up to the network/firewall folks to determine how best to make that happen. Unfortunately many security policies go so far as to explicitly require NAT.
-Don
Current thread:
- Cool IPv6 Stuff Jeroen Massar (Jun 01)
- Message not available
- Re: Cool IPv6 Stuff Jeroen Massar (Jun 01)
- Message not available
- Re: Cool IPv6 Stuff Jared Mauch (Jun 03)
- Re: Cool IPv6 Stuff Sam Stickland (Jun 04)
- Re: Cool IPv6 Stuff Adrian Chadd (Jun 04)
- Message not available
- Re: Cool IPv6 Stuff Sam Stickland (Jun 04)
- Re: Cool IPv6 Stuff Donald Stahl (Jun 04)
- Re: Cool IPv6 Stuff Iljitsch van Beijnum (Jun 04)
- Re: Cool IPv6 Stuff Adrian Chadd (Jun 04)
- Re: Cool IPv6 Stuff Donald Stahl (Jun 04)
- Re: Cool IPv6 Stuff Adrian Chadd (Jun 04)
- Re: Cool IPv6 Stuff Iljitsch van Beijnum (Jun 06)
- Re: Cool IPv6 Stuff Sam Stickland (Jun 04)
- Re: Cool IPv6 Stuff Joel Jaeggli (Jun 04)
- Re: Cool IPv6 Stuff Owen DeLong (Jun 04)
- Security gain from NAT (was: Re: Cool IPv6 Stuff) Jim Shankland (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Joe Abley (Jun 04)
- Re: Security gain from NAT Sam Stickland (Jun 04)