Assigning IPv6 /48's to CPE's?

Tim Franklin tim at pelican.org
Thu Jan 3 16:25:31 UTC 2008


On Thu, January 3, 2008 3:17 pm, William Herrin wrote:

> In my ever so humble opinion, IPv6 will not reach significant
> penetration at the customer level until NAT has been thoroughly
> implemented. Corporate information security officers will insist.
> Here's the thing: a stateful non-NAT firewall is automatically less
> secure than a stateful translating firewall. Why? Because a mistake
> configuring a NAT firewall breaks the network causing everything to
> stop working while a mistake with a firewall that does no translation
> causes data to flow unfiltered. Humans being humans, mistakes will be
> made. The first failure mode is highly preferable.

Only assuming the nature of your mistake is 'turn it off'.

I can fat-finger a 'port-forward *all* ports to important internal
server', rather than just '80/TCP' pretty much exactly as easily as I can
fat-finger 'permit *all* external to important internal server' rather
than just '80/TCP'.

Which failure mode is more acceptable is going to depend on the business
in question too.  If 'seconds connected to the Internet' is a direct
driver of 'dollars made', spending a length of time exposed (risk of loss)
while fixing a config error may well be preferable to spending a length of
time disconnected (actual loss).

I'll grant the 'everything is disconnected' case is easier to spot, though
- especially if you don't have proper change management to test that the
change you made is the change you think you made.

Regards,
Tim.





More information about the NANOG mailing list