[125810] in North American Network Operators' Group
Re: Rate of growth on IPv6 not fast enough?
daemon@ATHENA.MIT.EDU (Marshall Eubanks)
Fri Apr 23 10:48:09 2010
From: Marshall Eubanks <tme@americafree.tv>
To: Clue Store <cluestore@gmail.com>
In-Reply-To: <g2i580af3b91004230617zc17d5466y51cdf7bccd1d0225@mail.gmail.com>
Date: Fri, 23 Apr 2010 10:47:33 -0400
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Apr 23, 2010, at 9:17 AM, Clue Store wrote:
>> But none of this does what NAT does for a big enterprise, which is
>> to *hide internal topology*. Yes, addressing the privacy concerns
>> that come from using lower-64-bits-derived-from-MAC-address is
>> required, but it is also necessary (for some organizations) to
>> make it impossible to tell that this host is on the same subnet as
>> that other host, as that would expose information like which host
>> you might want to attack in order to get access to the financial
>> or medical records, as well as whether or not the executive floor
>> is where these interesting website hits came from.
>>
>> Matthew Kaufman
>
>> Yeh that information leak is one reason I can think of for supporting
>> NAT for IPv6. One of the inherent security issues with unique
>> addresses I suppose.
> <flame-suit-on>
>
> What makes you think that not using NAT exposes internal topology??
Or that internal topology cannot leak out through NAT's ? I have seen
NATed enterprises
become massively compromised.
Regards
Marshall
> I have
> many cases where either filtering at layer-2 or NAT'ing a /48 for
> itself (or
> proxy-arp for those that do not have kits that can NAT IP blocks as
> itself)
> does NOT expose internal topology. Get your filtering correctly
> setup, and
> there is no use for NAT/PAT in v6.
>
> NAT was designed with one puropose in mind ..... extending the life
> of v4...
> period! The so called security that most think NAT gives them is a
> side
> effect. NAT/PAT also breaks several protocols (PASV FTP, H.323, etc)
> and I
> for one will be happy to see it go. I think it's a mistake to
> include NAT in
> v6 because there are other methodologies of accomplishing all of the
> side
> effects that everyone is use to seeing NAT provide without having to
> actually translate IP's or ports.
>
> I for one (as well as alot of other folks I know) am not/will not be
> using
> any kind of NAT moving forward.
>
> </flame-suit-on>
>
