Rate of growth on IPv6 not fast enough?
Leen Besselink
leen at consolejunkie.net
Tue Apr 20 20:31:46 UTC 2010
On 04/20/2010 09:31 PM, Roger Marquis wrote:
> Jack Bates wrote:
>> .01%? heh. NAT can break xbox, ps3, certain pc games, screw with various
>> programs that dislike multiple connections from a single IP, and the
>> crap load of vpn clients that appear on the network and do not support
>> nat traversal (either doesn't support it, or big corp A refuses to
>> enable it).
>
> If this were really an issue I'd expect my nieces and nephews, all of
> whom are big
> game players, would have mentioned it. They haven't though, despite
> being behind
> cheap NATing CPE from D-Link and Netgear.
>
> Address conservation aside, the main selling point of NAT is its
> filtering of inbound
> session requests. NAT _always_ fails-closed by forcing inbound
> connections to pass
> validation by stateful inspection. Without this you'd have to depend
> on less
> reliable (fail-open) mechanisms and streams could be initiated from
> the Internet at
> large. In theory you could enforce fail-closed reliably without NAT,
> but the rules
> would have to be more complex and complexity is the enemy of
> security. Worse, if
As others have mentioned on the list, this is wrong. NAT is the one that
makes things
much more complicated in fact. And even NAT can be tricked.
But I do have a question:
Do you think TCP-port 53 for DNS are only used for domain-name transfers ?
> non-NATed CPE didn't do adequate session validation, inspection, and
> tracking, as
> low-end gear might be expected to cut corners on, end-user networks
> would be more
> exposed to nefarious outside-initiated streams.
>
> Arguments against NAT uniformly fail to give credit to these security
> considerations,
> which is a large reason the market has not taken IPv6 seriously
> to-date. Even in big
> business, CISOs are able to shoot-down netops recommendations for 1:1
> address mapping
> with ease (not that vocal NAT opponents get jobs where internal
> security is a
> concern).
>
> IMO,
> Roger Marquis
>
>
More information about the NANOG
mailing list