[125634] in North American Network Operators' Group
Re: Rate of growth on IPv6 not fast enough?
daemon@ATHENA.MIT.EDU (Chris Adams)
Tue Apr 20 15:51:52 2010
Date: Tue, 20 Apr 2010 14:51:19 -0500
From: Chris Adams <cmadams@hiwaay.net>
To: nanog@nanog.org
Mail-Followup-To: Chris Adams <cmadams@hiwaay.net>, nanog@nanog.org
In-Reply-To: <20100420193147.C69612B2128@mx5.roble.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Once upon a time, Roger Marquis <marquis@roble.com> said:
> Address conservation aside, the main selling point of NAT is its filtering
> of inbound
> session requests. NAT _always_ fails-closed by forcing inbound connections
> to pass
> validation by stateful inspection. Without this you'd have to depend on
> less
> reliable (fail-open) mechanisms and streams could be initiated from the
> Internet at
> large. In theory you could enforce fail-closed reliably without NAT, but
> the rules
> would have to be more complex and complexity is the enemy of security.
NAT == stateful firewall + packet mangling. You can do all the same
stateful firewall bits and drop the packet mangling quite easily (it is
certainly not "more complex" to not mangle packets).
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
