v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space
Matthew Moyle-Croft
mmc at internode.com.au
Sat Feb 7 03:06:50 UTC 2009
Stephen Sprunk wrote:
>
> You must be very sheltered. Most end users, even "security" folks at
> major corporations, think a NAT box is a firewall and disabling NAT is
> inherently less secure. Part of that is factual: NAT (er, dynamic
> PAT) devices are inherently fail-closed because of their design, while
> a firewall might fail open. Also, NAT prevents some information
> leakage by hiding the internal details of the site's network, and many
> folks place a high value on "security" through obscurity. This is
> understandable, since the real threats -- uneducated users and flawed
> software -- are ones they have no power to fix.
It's also worth pointing out that CPE for DSL often has really poor
stateful firewall code. So often turning it off means less issues for
home users. At least NAT gives some semblance of protection. IPv6
without NAT might be awesome to some, but the reality is CPE is built to
a price and decent firewall code is thin on the ground. I'm not hopeful
of it getting better when IPv6 starts to become mainstream.
(In case it's not clear - I'm not talking about enterprise stuff - I'm
talking about CPE for domestic DSL/Cable users - please don't tell me
all about how cool NetScreen/PIX/ASA/<insert favourite fw> is for
enterprise).
MMC
--
Matthew Moyle-Croft - Internode/Agile - Networks
Level 4, 150 Grenfell Street, Adelaide, SA 5000 Australia
Email: mmc at internode.com.au Web: http://www.on.net
Direct: +61-8-8228-2909 Mobile: +61-419-900-366
Reception: +61-8-8228-2999 Fax: +61-8-8235-6909
More information about the NANOG
mailing list