nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Addressing plan exercise for our IPv6 course

From: Jens Link <lists () quux de>
Date: Mon, 26 Jul 2010 06:24:04 +0200
Owen DeLong <owen () delong com> writes:


You know that, I know that and (hopefully) all people on this list know
that. But NAT == security was and still is sold by many people. 


So is snake oil.


Ack, but people are still buying snake oil too.


After one of my talks about IPv6 the firewall admins of a company said
something like: "So we can't use NAT as an excuse anymore and have to
configure firewall rules? We don't want this."


So how did you answer him?


To be honest: I don't remember. I got drunk that evening. ;-) 


The correct answer is "No, you don't have to configure rules, you just need
one rule supplied by default which denies anything that doesn't have a
corresponding outbound entry in the state table and it works just like NAT
without the address mangling".


They used NAT as an excuse not to let some applications to the
outside. 

Jens
-- 
-------------------------------------------------------------------------
| Foelderichstr. 40   | 13595 Berlin, Germany    | +49-151-18721264     |
| http://blog.quux.de | jabber: jenslink () guug de | -------------------  | 
-------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: