IPv6 uptake (was: The Reg does 240/4)
Owen DeLong
owen at delong.com
Sat Feb 17 18:29:59 UTC 2024
Most firewalls are default deny. Routers are default allow unless you put a filter on the interface.
NAT adds nothing to security (Bill and I agree to disagree on this), but at best, it complicates the audit trail.
Owen
> On Feb 16, 2024, at 15:19, Jay R. Ashworth <jra at baylink.com> wrote:
>
> ----- Original Message -----
>> From: "William Herrin" <bill at herrin.us>
>
>> On Fri, Feb 16, 2024 at 2:19 PM Jay R. Ashworth <jra at baylink.com> wrote:
>>>> From: "Justin Streiner" <streinerj at gmail.com>
>>>> 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
>>>> to accept in the v4 world.
>>>
>>> NAT doesn't "equal" security.
>>>
>>> But it is certainly a *component* of security, placing control of what internal
>>> nodes are accessible from the outside in the hands of the people inside.
>>
>> Every firewall does that. What NAT does above and beyond is place
>> control of what internal nodes are -addressable- from the outside in
>> the hands of the people inside -- so that most of the common mistakes
>> with firewall configuration don't cause the internal hosts to -become-
>> accessible.
>>
>> The distinction doesn't seem that subtle to me, but a lot of folks
>> making statements about network security on this list don't appear to
>> grasp it.
>
> You bet. I knew someone would chime in, but whether they'd be agreeing
> with me -- as you are -- or yelling at me, wasn't clear.
>
> It's a default deny (NAT) vs default allow (firewall) question, and
> I prefer default deny -- at least inbound. You *can* run NAT as default
> deny outbound, too, but it's much less tolerable for general internet
> connectivity -- in some dedicated circumstances, it can be workable.
>
> Cheers,
> -- jra
> --
> Jay R. Ashworth Baylink jra at baylink.com
> Designer The Things I Think RFC 2100
> Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII
> St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
More information about the NANOG
mailing list