Rate of growth on IPv6 not fast enough?

Marshall Eubanks tme at americafree.tv
Fri Apr 23 09:47:33 CDT 2010


On Apr 23, 2010, at 9:17 AM, Clue Store wrote:

>> But none of this does what NAT does for a big enterprise, which is
>> to *hide internal topology*. Yes, addressing the privacy concerns
>> that come from using lower-64-bits-derived-from-MAC-address is
>> required, but it is also necessary (for some organizations) to
>> make it impossible to tell that this host is on the same subnet as
>> that other host, as that would expose information like which host
>> you might want to attack in order to get access to the financial
>> or medical records, as well as whether or not the executive floor
>> is where these interesting website hits came from.
>>
>> Matthew Kaufman
>
>> Yeh that information leak is one reason I can think of for supporting
>> NAT for IPv6.  One of the inherent security issues with unique
>> addresses I suppose.
> <flame-suit-on>
>
> What makes you think that not using NAT exposes internal topology??

Or that internal topology cannot leak out through NAT's ? I have seen  
NATed enterprises
become massively compromised.

Regards
Marshall


> I have
> many cases where either filtering at layer-2 or NAT'ing a /48 for  
> itself (or
> proxy-arp for those that do not have kits that can NAT IP blocks as  
> itself)
> does NOT expose internal topology. Get your filtering correctly  
> setup, and
> there is no use for NAT/PAT in v6.
>
> NAT was designed with one puropose in mind ..... extending the life  
> of v4...
> period! The so called security that most think NAT gives them is a  
> side
> effect. NAT/PAT also breaks several protocols (PASV FTP, H.323, etc)  
> and I
> for one will be happy to see it go. I think it's a mistake to  
> include NAT in
> v6 because there are other methodologies of accomplishing all of the  
> side
> effects that everyone is use to seeing NAT provide without having to
> actually translate IP's or ports.
>
> I for one (as well as alot of other folks I know) am not/will not be  
> using
> any kind of NAT moving forward.
>
> </flame-suit-on>
>





More information about the NANOG mailing list