nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Addressing plan exercise for our IPv6 course

From: "Akyol, Bora A" <bora () pnl gov>
Date: Tue, 27 Jul 2010 12:05:19 -0700
Please see comments inline.


On 7/22/10 10:13 PM, "Owen DeLong" <owen () delong com> wrote:


In all reality:

1.      NAT has nothing to do with security. Stateful inspection provides
        security, NAT just mangles addresses.

Of course, the problem is that there are millions of customers that believe
that NAT == security. This needs to change.


2.      In the places where NAT works, it does so at a terrible cost. It
        breaks a number of things, and, applications like Skype are
        incredibly more complex pieces of code in order to solve NAT
        traversal.


I look at this as water under the bridge. Yep, it was complicated code and
now it works. I can run bittorrent just fine beyond an Apple wireless router
and I did nothing to make that work. Micro-torrent just communicates with
the router to make the port available.



The elimination of NAT is one of the greatest features of IPv6.

Most customers don't know or care what NAT is and wouldn't know the
difference between a NAT firewall and a stateful inspection firewall.

I do think that people will get rid of the NAT box by and large, or, at least
in IPv6, the box won't be NATing.

Whether or not they NAT it, it's still better to give the customer enough
addresses that they don't HAVE to NAT.

Owen



Of course, no disagreement there. The real challenge is going to be
education of customers so that they can actually configure a firewall policy
to protect their now-suddenly-addressable-on-the-Internet home network. I
would love to see how SOHO vendors are going to address this.
Previous By Date Next
Previous By Thread Next

Current thread: