v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space

Matthew Moyle-Croft mmc at internode.com.au
Sat Feb 7 03:06:50 UTC 2009

Stephen Sprunk wrote:
> You must be very sheltered.  Most end users, even "security" folks at 
> major corporations, think a NAT box is a firewall and disabling NAT is 
> inherently less secure.  Part of that is factual: NAT (er, dynamic 
> PAT) devices are inherently fail-closed because of their design, while 
> a firewall might fail open.  Also, NAT prevents some information 
> leakage by hiding the internal details of the site's network, and many 
> folks place a high value on "security" through obscurity.  This is 
> understandable, since the real threats -- uneducated users and flawed 
> software -- are ones they have no power to fix.
It's also worth pointing out that CPE for DSL often has really poor 
stateful firewall code.  So often turning it off means less issues for 
home users.   At least NAT gives some semblance of protection.  IPv6 
without NAT might be awesome to some, but the reality is CPE is built to 
a price and decent firewall code is thin on the ground.  I'm not hopeful 
of it getting better when IPv6 starts to become mainstream.

(In case it's not clear - I'm not talking about enterprise stuff - I'm 
talking about CPE for domestic DSL/Cable users - please don't tell me 
all about how cool NetScreen/PIX/ASA/<insert favourite fw> is for 


Matthew Moyle-Croft - Internode/Agile - Networks
Level 4, 150 Grenfell Street, Adelaide, SA 5000 Australia
Email: mmc at internode.com.au  Web: http://www.on.net
Direct: +61-8-8228-2909		    Mobile: +61-419-900-366
Reception: +61-8-8228-2999          Fax: +61-8-8235-6909

More information about the NANOG mailing list