Security gain from NAT (was: Re: Cool IPv6 Stuff)
sam_mailinglists at spacething.org
Wed Jun 6 07:56:33 UTC 2007
Nathan Ward wrote:
> On 5/06/2007, at 9:29 PM, <michael.dillon at bt.com>
> <michael.dillon at bt.com> wrote:
>>> I posit that a screen door does not provide any security.
>> "Any" is too strong a word. For people living in an area with
>> malaria-carrying mosquitoes, that screen door may be more important for
>> security than a solid steel door with a deadbolt. It all depends on what
>> the risks are, what you are protecting, and where your priorities are.
>> It is rather odd to see this discussion just a few weeks after the IETF
>> issued RFC 4864 to address just this misconception of NAT. How many of
>> the participants have read the RFC? Assuming vendors of cheap consumer
>> IPv6 gateway boxes implement all the LNP (Local Network Protection)
>> features of RFC 4864, is there any reason for these boxes to also
>> support NAT?
>> As far as I can see the only good reason to put NAT in an IPv6 gateway
>> is because uneducated consumers demand it as a checklist feature. In
>> that case, let's hope that it is off by default and that disabling the
>> NAT does not disrupt any of the other LNP features. That way, when the
>> customer calls the support desk to complain that they are not getting
>> SIP calls from Mom, you can tell them to turn off the NAT and try again.
> I don't think anyone is suggesting that you should put NAPT in an IPv6
> gateway. A few days ago it was suggested by Sam Stickland that a
> blocker to moving to IPv6 was the lack of NAPT, and the security
> features that are an integral part of it's functionality.
This thread has been done to death now, but what I originally said was
that the use of NAT in IPv4 means that many enterprises don't feel any
pressure to move to IPv6, and that furthermore there are many myths and
weird design tactics in use that make people (incorrectly) think they
need NAT for reasons above and beyond public address conversation. I
also expressed a concerned that because of this some nefarious vendors
will start selling IPv6 NAT boxes (again, not a good thing!).
Time will tell, but I think it's time the thread I seem to have spawned
More information about the NANOG