Addressing plan exercise for our IPv6 course
Akyol, Bora A
bora at pnl.gov
Tue Jul 27 19:05:19 UTC 2010
Please see comments inline.
On 7/22/10 10:13 PM, "Owen DeLong" <owen at delong.com> wrote:
> In all reality:
>
> 1. NAT has nothing to do with security. Stateful inspection provides
> security, NAT just mangles addresses.
Of course, the problem is that there are millions of customers that believe
that NAT == security. This needs to change.
>
> 2. In the places where NAT works, it does so at a terrible cost. It
> breaks a number of things, and, applications like Skype are
> incredibly more complex pieces of code in order to solve NAT
> traversal.
I look at this as water under the bridge. Yep, it was complicated code and
now it works. I can run bittorrent just fine beyond an Apple wireless router
and I did nothing to make that work. Micro-torrent just communicates with
the router to make the port available.
> The elimination of NAT is one of the greatest features of IPv6.
>
> Most customers don't know or care what NAT is and wouldn't know the
> difference between a NAT firewall and a stateful inspection firewall.
>
> I do think that people will get rid of the NAT box by and large, or, at least
> in IPv6, the box won't be NATing.
>
> Whether or not they NAT it, it's still better to give the customer enough
> addresses that they don't HAVE to NAT.
>
> Owen
>
Of course, no disagreement there. The real challenge is going to be
education of customers so that they can actually configure a firewall policy
to protect their now-suddenly-addressable-on-the-Internet home network. I
would love to see how SOHO vendors are going to address this.
More information about the NANOG
mailing list