Rate of growth on IPv6 not fast enough?
Chris Adams
cmadams at hiwaay.net
Tue Apr 20 19:51:19 UTC 2010
Once upon a time, Roger Marquis <marquis at roble.com> said:
> Address conservation aside, the main selling point of NAT is its filtering
> of inbound
> session requests. NAT _always_ fails-closed by forcing inbound connections
> to pass
> validation by stateful inspection. Without this you'd have to depend on
> less
> reliable (fail-open) mechanisms and streams could be initiated from the
> Internet at
> large. In theory you could enforce fail-closed reliably without NAT, but
> the rules
> would have to be more complex and complexity is the enemy of security.
NAT == stateful firewall + packet mangling. You can do all the same
stateful firewall bits and drop the packet mangling quite easily (it is
certainly not "more complex" to not mangle packets).
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the NANOG
mailing list