Enterprise IPv6 (Was: Cool IPv6 Stuff/Security gain from NAT)
Nathan Ward
nanog at daork.net
Tue Jun 5 02:18:58 UTC 2007
On 4/06/2007, at 9:52 PM, Sam Stickland wrote:
>
> Jared Mauch wrote:
>>
>> http://www.icann.org/meetings/lisbon/presentation-doering-
>> ipv6-25mar07.pdf
>>
> In answer to two questions at the end of this document:
>
> • what are enterprises waiting for?
> • should we ditch IPv6, and live with IPv4 + NAT forever?
>
> Personally I hate NAT. But I currently work in a large enterprise
> environment and NAT is suprisingly popular. I came from a service
> provider background and some of the attitudes I've discovered
> towards private addresses in enterprise environments are quite
> surprising. Aside for the usual proponents of using NAT to hide
> your internal address infrastructure (which security always seem to
> insist upon) quite a popular design rule of from seems to be "Only
> carry public addresses on the public Internet and only carry
> private addresses on your private network" :-|
>
> If an Enterprise doesn't have a great deal for IP addresses that
> need to be routed on the public internet, and they thing that NAT
> is a _good_ design choice, it seems to me that they don't have a
> great deal of pressure to move to IPv6.
While those are valid concerns, stateless inspection fills the "gap"
that NAPT provides in terms of filtering packets, and the privacy
extensions for stateless autoconfiguration (RFC3041 and further work,
enabled by default on Windows, disabled by default on Mac, BSD, not
sure about Linux.) address the "lack" of anonymity.
What this thread fails to mention is that NAPT is a band-aid. It
won't help us forever, as it still requires one IPv4 address per site
(however that is defined), unless it is proposed that ISPs start to
put many customers behind a single NAPT - which I strongly hope it's
not.
While it's entertaining [1] to debate the pros/cons of NAPT's ability
to provide security for the 500th time, we're essentially debating
the pros/cons of a "technology" that is going to (hopefully) be
outdated soon. I suggest we move on.
Sam, have you heard any concerns, other than that "NAPT provides us
security" one?
--
Nathan Ward
[1] Ok, it's actually not.
More information about the NANOG
mailing list