[101419] in North American Network Operators' Group
Re: Assigning IPv6 /48's to CPE's?
daemon@ATHENA.MIT.EDU (Tim Franklin)
Thu Jan 3 12:02:14 2008
In-Reply-To: <3c3e3fca0801030717w43ab681fp33c1cc0d116d36e0@mail.gmail.com>
Date: Thu, 3 Jan 2008 16:25:31 -0000 (GMT)
From: "Tim Franklin" <tim@pelican.org>
To: "William Herrin" <herrin-nanog@dirtside.com>
Cc: "Rick Astley" <jnanog@gmail.com>, nanog@merit.edu
Errors-To: owner-nanog@merit.edu
On Thu, January 3, 2008 3:17 pm, William Herrin wrote:
> In my ever so humble opinion, IPv6 will not reach significant
> penetration at the customer level until NAT has been thoroughly
> implemented. Corporate information security officers will insist.
> Here's the thing: a stateful non-NAT firewall is automatically less
> secure than a stateful translating firewall. Why? Because a mistake
> configuring a NAT firewall breaks the network causing everything to
> stop working while a mistake with a firewall that does no translation
> causes data to flow unfiltered. Humans being humans, mistakes will be
> made. The first failure mode is highly preferable.
Only assuming the nature of your mistake is 'turn it off'.
I can fat-finger a 'port-forward *all* ports to important internal
server', rather than just '80/TCP' pretty much exactly as easily as I can
fat-finger 'permit *all* external to important internal server' rather
than just '80/TCP'.
Which failure mode is more acceptable is going to depend on the business
in question too. If 'seconds connected to the Internet' is a direct
driver of 'dollars made', spending a length of time exposed (risk of loss)
while fixing a config error may well be preferable to spending a length of
time disconnected (actual loss).
I'll grant the 'everything is disconnected' case is easier to spot, though
- especially if you don't have proper change management to test that the
change you made is the change you think you made.
Regards,
Tim.
