Rate of growth on IPv6 not fast enough?
Jim Burwell
jimb at jsbc.cc
Wed Apr 21 12:46:47 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 4/21/2010 03:38, Mark Smith wrote:
> On Tue, 20 Apr 2010 21:16:10 -0700 Owen DeLong <owen at delong.com>
> wrote:
>
>>>
>>> Frankly, when you hear people strongly using the argument
>>> stateful firewalling == NAT, you start to wonder if they've
>>> ever seen a stateful firewall using public addresses.
>>>
>> I've run several of them.
>>
>
> My comment wasn't a reply to you, more of a general comment about
> the surprising effort you still need to go to explain that
> stateful firewalling doesn't mandate NAT.
>
> I sometimes wonder if some people's heads would explode if I told
> them that this PC is directly attached to the Internet, has both
> public IPv4 and IPv6 addresses, and is performing stateful
> firewalling - with no NAT anywhere.
>
I hear ya. Except for simple translations (e.g. one-to-one, whole net
xlates), NAT is dependent on SPI, but SPI is not dependent on NAT.
But some seem to combine the two into a single inseparable concept.
I've definitely run into people who confuse the concepts. And also
presume that without NAT there is less or no security.
This head definitely wouldn't explode, since back in the early to mid
90s I ran enterprise networks on which all hosts had public IPs and
there was no NAT at all. First protected by "dumb filters" on
routers, which were fairly quickly replaced by dedicated SPI firewalls
(such as Checkpoint). The first couple SPI firewalls I used didn't
even *have* NAT capability. Yet, they did a fine job securing my LANs
without it. And this is at a time when most workstations and servers
on the LAN didn't have firewalls themselves (no OS included FW).
Despite it doing the job it was intended to do, I've always seen NAT
as a bit of an ugly hack, with potential to get even uglier with LSN
and multi-level NAT in the future. I personally welcome a return to a
NAT-less world with IPv6. :)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkvO87cACgkQ2fXFxl4S7sSzQQCfU4Ip5mHkJ/inTfKO/1zih5yY
VWUAnjte4aAbrcYvUraMXsUmaPj2JHGA
=S3Gn
-----END PGP SIGNATURE-----
More information about the NANOG
mailing list