nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: misunderstanding scale

From: Owen DeLong <owen () delong com>
Date: Mon, 24 Mar 2014 20:02:51 -0700

On Mar 24, 2014, at 9:21 AM, William Herrin <bill () herrin us> wrote:


On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve <SNaslund () medline com> wrote:

I am not sure I agree with the basic premise here.   NAT or Private addressing does not equal security.


Hi Steve,

It is your privilege to believe this and to practice it in the
networks you operate.

Many of the folks you would have deploy IPv6 do not agree. They take
comfort in the mathematical impossibility of addressing an internal
host from an outside packet that is not part of an ongoing session.
These folks find that address-overloaded NAT provides a valuable
additional layer of security.


Which impossibility has been disproven multiple times.


Some folks WANT to segregate their networks from the Internet via a
general-protocol transparent proxy. They've had this capability with
IPv4 for 20 years. IPv6 poorly addresses their requirement.


Actually, there are multiple implementations of transparent proxies available
for IPv6. NAT isn’t the same thing at all.

If you want to make your life difficult in IPv6, you can. Nobody prevents you from
doing so. It is discouraged and non-sensical, but quite possible at this point.

Owen
Previous By Date Next
Previous By Thread Next

Current thread: