nanog mailing list archives
Re: IPv6 uptake (was: The Reg does 240/4)
From: William Herrin <bill () herrin us>
Date: Fri, 16 Feb 2024 20:03:50 -0800
On Fri, Feb 16, 2024 at 7:41 PM John R. Levine <johnl () iecc com> wrote:
That it's possible to implement network security well without using NAT does not contradict the claim that NAT enhances network security.I think we're each overgeneralizing from our individual expeience. You can configure a V6 firewall to be default closed as easily as you can configure a NAT.
Hi John, We're probably not speaking the same language. You're talking about configuring the function of one layer in a security stack. I'm talking about adding or removing a layer in a security stack. Address overloaded NAT in conjunction with private internal addresses is an additional layer in a security stack. It has security-relevant properties that the other layers don't duplicate. Regardless of how you configure it. Also, you can't "configure" a layer to be default closed. That's a property of the security layer. It either is or it is not. You can configure a layer to be "default deny," which I assume is what you meant. The issue is that anything that can be configured can be accidentally unconfigured. When default-deny is accidentally unconfigured, the network becomes wide open. When NAT is accidentally unconfigured, the network stops functioning entirely. The gate is closed. Regards, Bill Herrin -- William Herrin bill () herrin us https://bill.herrin.us/
Current thread:
- Re: IPv6 uptake, (continued)
- Re: IPv6 uptake Nick Hilliard (Feb 18)
- Re: IPv6 uptake Michael Thomas (Feb 18)
- Re: IPv6 uptake Nick Hilliard (Feb 18)
- Re: IPv6 uptake John Levine (Feb 18)
- RE: IPv6 uptake (was: The Reg does 240/4) Howard, Lee via NANOG (Feb 19)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 19)
- Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 18)
- Re: IPv6 uptake (was: The Reg does 240/4) John Levine (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) John R. Levine (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Ryan Hamel (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Justin Streiner (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Steven Sommars (Feb 18)
- Re: IPv6 uptake Stephen Satchell (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Tom Beecher (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- RE: IPv6 uptake (was: The Reg does 240/4) Howard, Lee via NANOG (Feb 19)