IPv6 NAT
Scott McGrath
mcgrath at fas.harvard.edu
Fri Oct 31 18:42:04 UTC 2003
Agreed NAT's do not create security although many customers believe they
do. NAT's _are_ extremely useful in hiding network topologies from casual
inspection.
What I usually recommend to those who need NAT is a stateful firewall in
front of the NAT. The rationale being the NAT hides the topology and the
stateful firewall provides the security boundary.
Scott C. McGrath
On Thu, 30 Oct 2003, Stephen Sprunk wrote:
>
> Thus spake <Michael.Dillon at radianz.com>
> > Now, I'm not claiming that every device capable of IPv4 NAT is currently
> > able to function in this way, but there are no technical barriers to
> prevent
> > manufacturers from making IPv6 devices that function in this way. The
> > IPv6 vendor marketing folks can even invent terms like NAT (Network
> > Authority Technology) to describe this simple IPv6 firewall function, i.e.
> > IPv6 NAT.
>
> Or you could simply call it what it is -- a firewall -- since that's what
> most consumers think NAT is anyways.
>
> While I disagree with the general sentiment that NATs create security, the
> standard usage of such devices is certainly that of a stateful firewall.
>
> S
>
> Stephen Sprunk "God does not play dice." --Albert Einstein
> CCIE #3723 "God is an inveterate gambler, and He throws the
> K5SSS dice at every possible opportunity." --Stephen Hawking
>
More information about the NANOG
mailing list