misunderstanding scale

Mark Tinka mark.tinka at seacom.mu
Mon Mar 24 16:35:18 UTC 2014


On Monday, March 24, 2014 02:56:13 PM Timothy Morizot wrote:

> NAT traversal is and has long been fairly trivial. NAT
> and RFC1918 provides no meaningful host protection
> whatsoever and never has. The only thing that limits
> direct access to internal networks is a stateful
> firewall. (Well, IPS can also drop packets.) That's true
> for IPv4 and for IPv6. So an enterprise relying n NAT44
> and RFC1918 for internal host protection instead of a
> stateful firewall already has no meaningful security in
> place.

Don't disagree with you there.

I'm saying many an enterprise (small and large) as well as 
homes operate this way. There is a lot of unlearning to do.

The whole issue is that a number of enterprises "may" only 
feel safe if IPv6 comes with NAT66, probably on top (or not 
on top) of a stateful IPv6 firewall.

We need to think about how to re-train the enterprise, if we 
don't want to repeat the erasure of the end-to-end model, 
second time around.

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20140324/fcdad953/attachment.sig>


More information about the NANOG mailing list