Addressing plan exercise for our IPv6 course

Jens Link lists at quux.de
Mon Jul 26 04:24:04 UTC 2010


Owen DeLong <owen at delong.com> writes:

>> You know that, I know that and (hopefully) all people on this list know
>> that. But NAT == security was and still is sold by many people. 
>> 
> So is snake oil.

Ack, but people are still buying snake oil too.

>> After one of my talks about IPv6 the firewall admins of a company said
>> something like: "So we can't use NAT as an excuse anymore and have to
>> configure firewall rules? We don't want this."
>> 
> So how did you answer him?

To be honest: I don't remember. I got drunk that evening. ;-) 

> The correct answer is "No, you don't have to configure rules, you just need
> one rule supplied by default which denies anything that doesn't have a
> corresponding outbound entry in the state table and it works just like NAT
> without the address mangling".

They used NAT as an excuse not to let some applications to the
outside. 

Jens
-- 
-------------------------------------------------------------------------
| Foelderichstr. 40   | 13595 Berlin, Germany    | +49-151-18721264     |
| http://blog.quux.de | jabber: jenslink at guug.de | -------------------  | 
-------------------------------------------------------------------------




More information about the NANOG mailing list