misunderstanding scale

Patrick W. Gilmore patrick at ianai.net
Mon Mar 24 17:05:11 UTC 2014


On Mar 24, 2014, at 12:21, William Herrin <bill at herrin.us> wrote:
> On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve <SNaslund at medline.com> wrote:

>> I am not sure I agree with the basic premise here.   NAT or Private addressing does not equal security.

> Many of the folks you would have deploy IPv6 do not agree. They take
> comfort in the mathematical impossibility of addressing an internal
> host from an outside packet that is not part of an ongoing session.
> These folks find that address-overloaded NAT provides a valuable
> additional layer of security.
> 
> Some folks WANT to segregate their networks from the Internet via a
> general-protocol transparent proxy. They've had this capability with
> IPv4 for 20 years. IPv6 poorly addresses their requirement.

NAT i s not required for the above. Any firewall can stop incoming packets unless they are part of an established session. NAT doesn't add much of anything, especially given that you can have one-to-one NAT.

-- 
TTFN,
patrick




More information about the NANOG mailing list