v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space

Owen DeLong owen at delong.com
Sat Feb 7 03:32:10 UTC 2009

On Feb 6, 2009, at 7:06 PM, Matthew Moyle-Croft wrote:

> Stephen Sprunk wrote:
>> You must be very sheltered.  Most end users, even "security" folks  
>> at major corporations, think a NAT box is a firewall and disabling  
>> NAT is inherently less secure.  Part of that is factual: NAT (er,  
>> dynamic PAT) devices are inherently fail-closed because of their  
>> design, while a firewall might fail open.  Also, NAT prevents some  
>> information leakage by hiding the internal details of the site's  
>> network, and many folks place a high value on "security" through  
>> obscurity.  This is understandable, since the real threats --  
>> uneducated users and flawed software -- are ones they have no power  
>> to fix.
> It's also worth pointing out that CPE for DSL often has really poor  
> stateful firewall code.  So often turning it off means less issues  
> for home users.   At least NAT gives some semblance of protection.   
> IPv6 without NAT might be awesome to some, but the reality is CPE is  
> built to a price and decent firewall code is thin on the ground.   
> I'm not hopeful of it getting better when IPv6 starts to become  
> mainstream.
IPTables is decent firewall code.

It's free.

I don't buy that argument for a second.

Further, since more and more CPE is being built on embedded linux,  
there's no reason
that IPTables isn't a perfectly valid approach to the underlying  
firewall code.


> (In case it's not clear - I'm not talking about enterprise stuff -  
> I'm talking about CPE for domestic DSL/Cable users - please don't  
> tell me all about how cool NetScreen/PIX/ASA/<insert favourite fw>  
> is for enterprise).
> -- 
> Matthew Moyle-Croft - Internode/Agile - Networks
> Level 4, 150 Grenfell Street, Adelaide, SA 5000 Australia
> Email: mmc at internode.com.au  Web: http://www.on.net
> Direct: +61-8-8228-2909		    Mobile: +61-419-900-366
> Reception: +61-8-8228-2999          Fax: +61-8-8235-6909

More information about the NANOG mailing list