Addressing plan exercise for our IPv6 course
Mark Smith
nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org
Fri Jul 23 04:15:17 UTC 2010
On Thu, 22 Jul 2010 19:53:48 -0700
"Akyol, Bora A" <bora at pnl.gov> wrote:
> As long as customers believe that having a NAT router/"firewall" in place is a security feature,
> I don't think anyone is going to get rid of the NAT box.
>
You need to separate the NAT function (or more specifically, Network
Address Port Translation (NAPT)), and the side effect of that operation
being a deny all for uninitiated inbound traffic. It is not a unique
property to NAPT, and in fact, stateful firewalling using public
addresses has been around as long as NAT (at least since 1995 IIRC).
> In all reality, NAT boxes do work for 99% of customers out there.
>
So would a firewall with public addressing. It's worked for me for 10+
years with IPv4, and 4+ years with IPv6.
Of course, it didn't protect me when I ran an email attachment that
contained malware, or when I clicked on one of those "PC check"
popups that installed an application. (well, not actually me, but a
large number of people do this, helping the attacker completely bypass
any "NAT security". Inviting the attacker in as though they were a
trusted guest makes the best locks in the world on the door a waste of
time.)
It seems you haven't done much with NAT to have encountered it's
limitations, or experienced the benefits of end-to-end connectivity
(ever had to stuff around with port forwarding, TURN, STUN etc. to get
VoIP working at home? I haven't, and I got to spend that time on
something else much more useful than fiddling with NAT work arounds.)
>
> Bora
>
>
> On 7/22/10 7:34 PM, "Owen DeLong" <owen at delong.com> wrote:
>
>
> Well, wouldn't it be better if the provider simply issued enough space to
> make NAT66 unnecessary?
>
> Owen
>
>
>
>
More information about the NANOG
mailing list