IPv6 uptake (was: The Reg does 240/4)
William Herrin
bill at herrin.us
Sat Feb 17 18:24:51 UTC 2024
On Sat, Feb 17, 2024 at 10:03 AM Michael Thomas <mike at mtcc.com> wrote:
> On 2/16/24 5:37 PM, William Herrin wrote:
> > What is there to address? I already said that NAT's security
> > enhancement comes into play when a -mistake- is made with the network
> > configuration. You want me to say it again? Okay, I've said it again.
>
> The implication being that we should keep NAT'ing ipv6 for... a thin
> veil of security. That all of the other things that NAT breaks is worth
> the trouble because we can't trust our fat fingers on firewall configs.
Hi Mike,
There's no "we" here, no one-size-fits-all answer. Some folks
evaluating their scenario with their details will conclude that NAT's
security benefit outweighs its performance and functionality
implications. Others evaluating other scenarios will reach different
answers.
For enterprise customers, you're talking about folks who've been doing
NAT for two decades and have more recently implemented HTTPS capture
and re-encryption in order to scan for malware in transit. Will many
of them insist on NAT and its security enhancement when they get
around to deploying IPv6? Bet on it.
So, what happens when you try to tell such folks that they don't need
NAT for security in IPv6? It contradicts their -correct- intuition
that NAT has a security benefit, but because they can't quite nail
down what's wrong with your claim, it leaves them unsure. And what do
people who are unsure about an IPv6 deployment do? Nothing! They put
it back on the shelf and return to it in a couple of years.
Regards,
Bill Herrin
--
William Herrin
bill at herrin.us
https://bill.herrin.us/
More information about the NANOG
mailing list