IPv6 uptake (was: The Reg does 240/4)
Jay R. Ashworth
jra at baylink.com
Fri Feb 16 23:18:55 UTC 2024
----- Original Message -----
> From: "William Herrin" <bill at herrin.us>
> On Fri, Feb 16, 2024 at 2:19 PM Jay R. Ashworth <jra at baylink.com> wrote:
>> > From: "Justin Streiner" <streinerj at gmail.com>
>> > 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
>> > to accept in the v4 world.
>>
>> NAT doesn't "equal" security.
>>
>> But it is certainly a *component* of security, placing control of what internal
>> nodes are accessible from the outside in the hands of the people inside.
>
> Every firewall does that. What NAT does above and beyond is place
> control of what internal nodes are -addressable- from the outside in
> the hands of the people inside -- so that most of the common mistakes
> with firewall configuration don't cause the internal hosts to -become-
> accessible.
>
> The distinction doesn't seem that subtle to me, but a lot of folks
> making statements about network security on this list don't appear to
> grasp it.
You bet. I knew someone would chime in, but whether they'd be agreeing
with me -- as you are -- or yelling at me, wasn't clear.
It's a default deny (NAT) vs default allow (firewall) question, and
I prefer default deny -- at least inbound. You *can* run NAT as default
deny outbound, too, but it's much less tolerable for general internet
connectivity -- in some dedicated circumstances, it can be workable.
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra at baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII
St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
More information about the NANOG
mailing list