Re: IPv6 uptake (was: The Reg does 240/4)

[Michael Thomas <mike () mtcc com>]

On 2/16/24 3:01 PM, William Herrin wrote:
> On Fri, Feb 16, 2024 at 2:19 PM Jay R. Ashworth <jra () baylink com> wrote:
> > > From: "Justin Streiner" <streinerj () gmail com>
> > > 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
> > > to accept in the v4 world.
> > NAT doesn't "equal" security.
> >
> > But it is certainly a *component* of security, placing control of what internal
> > nodes are accessible from the outside in the hands of the people inside.
> Hi Jay,
>
> Every firewall does that. What NAT does above and beyond is place
> control of what internal nodes are -addressable- from the outside in
> the hands of the people inside -- so that most of the common mistakes
> with firewall configuration don't cause the internal hosts to -become-
> accessible.

If you know which subnets need to be NAT'd don't you also know which 
ones shouldn't exposed to incoming connections (or conversely, which 
should be permitted)? It seems to me that all you're doing is moving 
around where that knowledge is stored? Ie, DHCP so it can give it 
private address rather than at the firewall knowing which subnets not to 
allow access? Yes, DHCP can be easily configured to make everything 
private, but DHCP for static reachable addresses is pretty handy too.

Mike