quietly....
Owen DeLong
owen at delong.com
Thu Feb 3 18:17:14 UTC 2011
On Feb 3, 2011, at 8:29 AM, Jay Ashworth wrote:
> ----- Original Message -----
>> From: "Jon Lewis" <jlewis at lewis.org>
>
>> There's an awful lot of inertia in the "NAPT/firewall keeps our hosts
>> safe from the internet" mentality. Sure, a stateful firewall can be
>> configured allow all outbound traffic and only connected/related
>> inbound.
>
>> When someone breaks or shuts off that filter, traffic through the NAPT
>> firewall stops working. On the stateful firewall with public IPs on
>> both sides, everything works...including the traffic you didn't want.
>
> Precisely.
>
> This is the crux of the argument I've been trying, rather ineptly,
> to make: when it breaks, *which way does it fail*. NAT fails safe,
> generally.
>
So does any decent stateful inspection firewall. That's why your argument
doesn't hold water.
The only thing NAT brings to the equation over a properly constructed
stateful firewall is the mutilation of the IP header.
>> People are going to want NAT66...and not providing it may slow down
>> IPv6 adoption.
>
> You're using the future tense there, Jon; are you sure you didn't mean
> to use the present? Or the past...?
>
If the lack of NAT66 slows down IPv6 adoption, even though I am a big
IPv6 cheerleader, I am willing to accept that particular tradeoff.
Overloaded NAT is too costly to the community to be allowed to promulgate
into IPv6. It is detrimental to:
Application development
Innovation
Security
Auditing
Cost:
Cost of application development
Cost of devices
Cost of administration
Cost of operations
People that hold steadfast to the idea of not implementing IPv6 without
NAT will eventually become IPv4 islands. The rest of the internet will
continue to innovate without them and they will eventually come along
or they will be left behind.
Owen
More information about the NANOG
mailing list