Re: misunderstanding scale

["Patrick W. Gilmore" <patrick () ianai net>]

On Mar 24, 2014, at 13:17 , William Herrin <bill () herrin us> wrote:
> On Mon, Mar 24, 2014 at 1:05 PM, Patrick W. Gilmore <patrick () ianai net> wrote:
> > On Mar 24, 2014, at 12:21, William Herrin <bill () herrin us> wrote:

> > > Some folks WANT to segregate their networks from the Internet via a
> > > general-protocol transparent proxy. They've had this capability with
> > > IPv4 for 20 years. IPv6 poorly addresses their requirement.
> >
> > NAT i s not required for the above. Any firewall can stop incoming packets unless they are part of an established 
> > session. NAT doesn't add much of anything, especially given that you can have one-to-one NAT.
>
> Hi Patrick,
>
> What sort of traction are you getting from that argument with
> enterprise security folks who object to deploying IPv6 because of NAT?

The _good_ security people complain about deploying NAT in v4 or v6, because they don't think it is "security".

What sort of traction do you get with security people when you tell them NAT == "security in depth"?

If you mean "do people who get hired by $CORPORATION and do not know anything about security get upset when you tell 
them something they did not know?" The answer is "frequently, yes". I'm not sure what that has to do with the 
discussion at hand, though.

-- 
TTFN,
patrick

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail