misunderstanding scale

Mon Mar 24 18:19:41 UTC 2014

On Mar 24, 2014, at 13:17 , William Herrin <bill at herrin.us> wrote:
> On Mon, Mar 24, 2014 at 1:05 PM, Patrick W. Gilmore <patrick at ianai.net> wrote:
>> On Mar 24, 2014, at 12:21, William Herrin <bill at herrin.us> wrote:

>>> Some folks WANT to segregate their networks from the Internet via a
>>> general-protocol transparent proxy. They've had this capability with
>>> IPv4 for 20 years. IPv6 poorly addresses their requirement.
>> 
>> NAT i s not required for the above. Any firewall can stop incoming packets unless they are part of an established session. NAT doesn't add much of anything, especially given that you can have one-to-one NAT.
> 
> Hi Patrick,
> 
> What sort of traction are you getting from that argument with
> enterprise security folks who object to deploying IPv6 because of NAT?

The _good_ security people complain about deploying NAT in v4 or v6, because they don't think it is "security".

What sort of traction do you get with security people when you tell them NAT == "security in depth"?

If you mean "do people who get hired by $CORPORATION and do not know anything about security get upset when you tell them something they did not know?" The answer is "frequently, yes". I'm not sure what that has to do with the discussion at hand, though.

-- 
TTFN,
patrick

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 535 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20140324/811bcdf9/attachment.sig>