Cool IPv6 Stuff

Donald Stahl don at calis.blacksun.org
Mon Jun 4 15:37:11 UTC 2007


> Even people I have spoken that understand the difference between 
> firewalling/reachability and NATing are still in favour of NAT. The argument 
> basically goes "Yes, I understand that have a public address does not 
> neccessarily mean being publically reachable. But having a private address 
> means that [inbound] public reachability is simply not possible without 
> explicit configuration to enable it". i.e. NAT is seen as a extra layer of 
> security.
>
> I want NAT to die but I think it won't.
Far too many "security" folks are dictating actual implementation details 
and that's fundamentally wrong.

A security policy should read "no external access to the network" and it 
should be up to the network/firewall folks to determine how best to make 
that happen. Unfortunately many security policies go so far as to 
explicitly require NAT.

-Don





More information about the NANOG mailing list