misunderstanding scale
Mark Tinka
mark.tinka at seacom.mu
Mon Mar 24 16:35:18 UTC 2014
On Monday, March 24, 2014 02:56:13 PM Timothy Morizot wrote:
> NAT traversal is and has long been fairly trivial. NAT
> and RFC1918 provides no meaningful host protection
> whatsoever and never has. The only thing that limits
> direct access to internal networks is a stateful
> firewall. (Well, IPS can also drop packets.) That's true
> for IPv4 and for IPv6. So an enterprise relying n NAT44
> and RFC1918 for internal host protection instead of a
> stateful firewall already has no meaningful security in
> place.
Don't disagree with you there.
I'm saying many an enterprise (small and large) as well as
homes operate this way. There is a lot of unlearning to do.
The whole issue is that a number of enterprises "may" only
feel safe if IPv6 comes with NAT66, probably on top (or not
on top) of a stateful IPv6 firewall.
We need to think about how to re-train the enterprise, if we
don't want to repeat the erasure of the end-to-end model,
second time around.
Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20140324/fcdad953/attachment.sig>
More information about the NANOG
mailing list