owen at delong.com
Tue Mar 25 03:02:51 UTC 2014
On Mar 24, 2014, at 9:21 AM, William Herrin <bill at herrin.us> wrote:
> On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve <SNaslund at medline.com> wrote:
>> I am not sure I agree with the basic premise here. NAT or Private addressing does not equal security.
> Hi Steve,
> It is your privilege to believe this and to practice it in the
> networks you operate.
> Many of the folks you would have deploy IPv6 do not agree. They take
> comfort in the mathematical impossibility of addressing an internal
> host from an outside packet that is not part of an ongoing session.
> These folks find that address-overloaded NAT provides a valuable
> additional layer of security.
Which impossibility has been disproven multiple times.
> Some folks WANT to segregate their networks from the Internet via a
> general-protocol transparent proxy. They've had this capability with
> IPv4 for 20 years. IPv6 poorly addresses their requirement.
Actually, there are multiple implementations of transparent proxies available
for IPv6. NAT isn’t the same thing at all.
If you want to make your life difficult in IPv6, you can. Nobody prevents you from
doing so. It is discouraged and non-sensical, but quite possible at this point.
More information about the NANOG