Addressing plan exercise for our IPv6 course
Jens Link
lists at quux.de
Mon Jul 26 04:24:04 UTC 2010
Owen DeLong <owen at delong.com> writes:
>> You know that, I know that and (hopefully) all people on this list know
>> that. But NAT == security was and still is sold by many people.
>>
> So is snake oil.
Ack, but people are still buying snake oil too.
>> After one of my talks about IPv6 the firewall admins of a company said
>> something like: "So we can't use NAT as an excuse anymore and have to
>> configure firewall rules? We don't want this."
>>
> So how did you answer him?
To be honest: I don't remember. I got drunk that evening. ;-)
> The correct answer is "No, you don't have to configure rules, you just need
> one rule supplied by default which denies anything that doesn't have a
> corresponding outbound entry in the state table and it works just like NAT
> without the address mangling".
They used NAT as an excuse not to let some applications to the
outside.
Jens
--
-------------------------------------------------------------------------
| Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 |
| http://blog.quux.de | jabber: jenslink at guug.de | ------------------- |
-------------------------------------------------------------------------
More information about the NANOG
mailing list