Only 5x IPv4 /8 remaining at IANA
George Bonser
gbonser at seven.com
Mon Oct 18 17:52:18 UTC 2010
> -----Original Message-----
> From: Owen DeLong [mailto:owen at delong.com]
> Sent: Monday, October 18, 2010 9:25 AM
> To: George Bonser
> Cc: Henning Brauer; nanog at nanog.org
> Subject: Re: Only 5x IPv4 /8 remaining at IANA
>
>
>
> Nobody is using dynamic nat pools to block inbound connections.
>
> Many people are using dynamic NAT on top of stateful inspection where
> stateful inspection blocks inbound connections.
>
> The good news is that stateful inspection doesn't go away in IPv6. It
> works
> just fine. All that goes away is the header mangling.
Exactly true but there are people out there who experience it as
"dynamic nat prevents inbound connections". And the extent to which
state is inspected varies widely on different gear (is it just looking
for an ACK flag to determine an "established" connection or is it making
sure that at least one packet has gone in the other direction first?).
At least with dynamic (overload) NAT, a packet had to travel in the
opposite (outbound) direction in order to establish the NAT in the first
place. Then with an "established" acl, the two things give you fairly
decent assurance that things went as planned but are still not a
substitute for packet inspection.
> It's really unfortunate that most people don't understand the
> distinction.
Concur.
>
> IPv6 with SI is no less secure than IPv4 with SI+NAT.
Yup, the difference is going to be the extent to which the state is
inspected in various gear. Again, I believe firewall vendors are going
to see a windfall here.
And to address your comment in an email subsequent to this one about
accounting, I wholeheartedly agree. NAT can make it much more difficult
to find what is causing a problem or even who is talking to whom.
More information about the NANOG
mailing list