jgreco at ns.sol.net
Mon Mar 24 12:31:44 UTC 2014
> On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer <kauer at biplane.com.au> wrote:
> > Addressable is not the same as
> > accessible; routable is not the same as routed.
> Indeed. However, all successful security is about _defense in depth_.
> If it is inaccessible, unrouted, unroutable and unaddressable then you
> have four layers of security. If it is merely inaccessible and
> unrouted you have two.
Yet there is significant value to providing uniqueness in address space,
a property that is incredibly useful.
The proponents of this sort of "in depth" "defense" typically view NAT
as a way to protect their networks, which it does, in some limited sense,
from being addressable from the outside world. The problem is that it
has broken one of the key design principles in IPv4, and so we've had to
suffer for years under broken NAT regimes and workarounds and other
folly. This is overall a bad thing for the Internet, and for the
development of future protocols and applications.
Time to give up two layers of meaningless security for the riches offered
by the vastness of the new address space.
If this job were easy, anyone could do it.
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
More information about the NANOG