Cool IPv6 Stuff

Sam Stickland sam_mailinglists at
Mon Jun 4 11:36:54 UTC 2007

Sander Steffann wrote:
> Hi,
>> In fact, and call me crazy, but I can't help but wonder how 
>> many enterprises
>> out there will see IPv6 and its concept of "real IPs for all machines,
>> internal and external!" and respond with "Hell No."
>> Anyone got any numbers for that? I'm happy to admit I don't. :)
> No numbers, but the customers I talked to usually have the feeling that
> public IP addresses on their machines seems to imply publicly (and thus
> unprotected) reachability for those machines. They don't understand the
> difference between NAT and stateful firewalls...
> This is what leads to the "Hell No" attitude in my case. Educating them
> about security seems the only solution.
I think that rather than attempting to educate their customers about 
security firewall vendors will probably just sell a NAT capable IPv6 
firewall. It's the path of least resistance to profit. (A lot of 
mainstream vendors have helped push the idea that NAT is synonymous with 
firewalling. Take the Cisco PIX as an example, where up until very 
recently you had to configure NAT to allow traffic through the device.)

Even people I have spoken that understand the difference between 
firewalling/reachability and NATing are still in favour of NAT. The 
argument basically goes "Yes, I understand that have a public address 
does not neccessarily mean being publically reachable. But having a 
private address means that [inbound] public reachability is simply not 
possible without explicit configuration to enable it". i.e. NAT is seen 
as a extra layer of security.

I want NAT to die but I think it won't.


More information about the NANOG mailing list