v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space
owen at delong.com
Sat Feb 7 03:32:10 UTC 2009
On Feb 6, 2009, at 7:06 PM, Matthew Moyle-Croft wrote:
> Stephen Sprunk wrote:
>> You must be very sheltered. Most end users, even "security" folks
>> at major corporations, think a NAT box is a firewall and disabling
>> NAT is inherently less secure. Part of that is factual: NAT (er,
>> dynamic PAT) devices are inherently fail-closed because of their
>> design, while a firewall might fail open. Also, NAT prevents some
>> information leakage by hiding the internal details of the site's
>> network, and many folks place a high value on "security" through
>> obscurity. This is understandable, since the real threats --
>> uneducated users and flawed software -- are ones they have no power
>> to fix.
> It's also worth pointing out that CPE for DSL often has really poor
> stateful firewall code. So often turning it off means less issues
> for home users. At least NAT gives some semblance of protection.
> IPv6 without NAT might be awesome to some, but the reality is CPE is
> built to a price and decent firewall code is thin on the ground.
> I'm not hopeful of it getting better when IPv6 starts to become
IPTables is decent firewall code.
I don't buy that argument for a second.
Further, since more and more CPE is being built on embedded linux,
there's no reason
that IPTables isn't a perfectly valid approach to the underlying
> (In case it's not clear - I'm not talking about enterprise stuff -
> I'm talking about CPE for domestic DSL/Cable users - please don't
> tell me all about how cool NetScreen/PIX/ASA/<insert favourite fw>
> is for enterprise).
> Matthew Moyle-Croft - Internode/Agile - Networks
> Level 4, 150 Grenfell Street, Adelaide, SA 5000 Australia
> Email: mmc at internode.com.au Web: http://www.on.net
> Direct: +61-8-8228-2909 Mobile: +61-419-900-366
> Reception: +61-8-8228-2999 Fax: +61-8-8235-6909
More information about the NANOG