[125958] in North American Network Operators' Group
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast
daemon@ATHENA.MIT.EDU (Jon Lewis)
Tue Apr 27 14:56:36 2010
Date: Tue, 27 Apr 2010 14:54:07 -0400 (EDT)
From: Jon Lewis <jlewis@lewis.org>
To: Valdis.Kletnieks@vt.edu
In-Reply-To: <20861.1272394046@localhost>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, 27 Apr 2010 Valdis.Kletnieks@vt.edu wrote:
>> At least with NAT, if someone really screws up the config, the "inside"
>> stuff is all typically on non-publicly-routed IPs, so the worst likely to
>> happen is they lose internet, but at least the internet can't directly
>> reach them.
>
> You *do* realize that the skill level needed to misconfigure a firewall
> into that state, and the skill level needed to do the exact same thing to
> a firewall-NAT box, are *both* less than the skill level needed to remember
> to also deploy traffic monitors so you know you screwed up, and host-based
> firewalls to guard against chuckleheads screwing up the border box?
I think you forget where most networking is done. Monitoring? You mean
something beyond walking down the hall to the network closet and seeing
all the blinking lights are flashing really fast?
How about the typical home DSL/Cable modem user? Do you think they even
know what SNMP is? Do you think they have host based firewalls on all
their PCs? Do you want mom and dad's PCs exposed on the internet, or
neatly hidden behind a NAT device they don't even realize is built into
their cable/DSL router?
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
