misunderstanding scale

Tue Mar 25 03:52:48 UTC 2014

On Mon, Mar 24, 2014 at 8:02 PM, Owen DeLong <owen at delong.com> wrote:

>
> On Mar 24, 2014, at 9:21 AM, William Herrin <bill at herrin.us> wrote:
>
> > On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve <SNaslund at medline.com>
> wrote:
> >> I am not sure I agree with the basic premise here.   NAT or Private
> addressing does not equal security.
> >
> > Hi Steve,
> >
> > It is your privilege to believe this and to practice it in the
> > networks you operate.
> >
> > Many of the folks you would have deploy IPv6 do not agree. They take
> > comfort in the mathematical impossibility of addressing an internal
> > host from an outside packet that is not part of an ongoing session.
> > These folks find that address-overloaded NAT provides a valuable
> > additional layer of security.
>
> Which impossibility has been disproven multiple times.
>
> > Some folks WANT to segregate their networks from the Internet via a
> > general-protocol transparent proxy. They've had this capability with
> > IPv4 for 20 years. IPv6 poorly addresses their requirement.
>
> Actually, there are multiple implementations of transparent proxies
> available
> for IPv6. NAT isn't the same thing at all.
>
> If you want to make your life difficult in IPv6, you can. Nobody prevents
> you from
> doing so. It is discouraged and non-sensical, but quite possible at this
> point.
>
> Owen
>
>
>
Right.  fc00::/7 exists.  If you want to emulate your internal use of
10.0.0.0/8 plus NAT (or, proxies or load balancers or whatever) in your
IPv6 implementation go ahead.  Putting in some robust filtering that if the
fc00::/7 ever appears outside the internal gateway the traffic goes poof
should be as easy as the equivalents for 10, 172.16, 192.168 ...

-- 
-george william herbert
george.herbert at gmail.com