IPv6 deployment excuses
Masataka Ohta
mohta at necom830.hpcl.titech.ac.jp
Tue Jul 5 02:34:17 UTC 2016
Jared Mauch wrote:
>> Are you saying, without NAT or something like that to restrict
>> reachable ports, the Internet, regardless of whether it is with
>> IPv4 or IPv6, is not very secure?
>
> I'm saying two things:
>
> 1) UPnP is a security nightmare and nobody (at scale)
> will let you register ports with their CGN/edge.
Don't do that. Just have static port forwarding. UPnP
may be used as a channel to advertise the forwarding
information but you can also do it manually (for reverse
translation, configuring a global IP address and a range
of port numbers is enough).
> 2) We are an industry in transition. Internet connectivity
> will soon be defined by v6 + v4, not v4+ sometimes v6.
Yeah, we have been so for these 20 years.
> Our services need to work for the broadest set of users. Many
> people are now used to the non-e2e results of a NAT/CGN environment.
Exactly. And, as e2e transparency over NAT can be offered to
exceptional people, we can live with IPv4 forever.
Masataka Ohta
More information about the NANOG
mailing list