nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IPv6 uptake (was: The Reg does 240/4)

From: William Herrin <bill () herrin us>
Date: Fri, 16 Feb 2024 20:03:50 -0800
On Fri, Feb 16, 2024 at 7:41 PM John R. Levine <johnl () iecc com> wrote:

That it's possible to implement network security well without using
NAT does not contradict the claim that NAT enhances network security.


I think we're each overgeneralizing from our individual expeience.

You can configure a V6 firewall to be default closed as easily as you can
configure a NAT.


Hi John,

We're probably not speaking the same language. You're talking about
configuring the function of one layer in a security stack. I'm talking
about adding or removing a layer in a security stack. Address
overloaded NAT in conjunction with private internal addresses is an
additional layer in a security stack. It has security-relevant
properties that the other layers don't duplicate. Regardless of how
you configure it.

Also, you can't "configure" a layer to be default closed. That's a
property of the security layer. It either is or it is not.

You can configure a layer to be "default deny," which I assume is what
you meant. The issue is that anything that can be configured can be
accidentally unconfigured. When default-deny is accidentally
unconfigured, the network becomes wide open. When NAT is accidentally
unconfigured, the network stops functioning entirely. The gate is
closed.

Regards,
Bill Herrin


-- 
William Herrin
bill () herrin us
https://bill.herrin.us/
Previous By Date Next
Previous By Thread Next

Current thread: