Rate of growth on IPv6 not fast enough?

• Previous message (by thread): Rate of growth on IPv6 not fast enough?
• Next message (by thread): Rate of growth on IPv6 not fast enough?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Once upon a time, Roger Marquis <marquis at roble.com> said:
> Address conservation aside, the main selling point of NAT is its filtering 
> of inbound
> session requests.  NAT _always_ fails-closed by forcing inbound connections 
> to pass
> validation by stateful inspection.  Without this you'd have to depend on 
> less
> reliable (fail-open) mechanisms and streams could be initiated from the 
> Internet at
> large.  In theory you could enforce fail-closed reliably without NAT, but 
> the rules
> would have to be more complex and complexity is the enemy of security.  

NAT == stateful firewall + packet mangling.  You can do all the same
stateful firewall bits and drop the packet mangling quite easily (it is
certainly not "more complex" to not mangle packets).

-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

• Previous message (by thread): Rate of growth on IPv6 not fast enough?
• Next message (by thread): Rate of growth on IPv6 not fast enough?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]