[128040] in North American Network Operators' Group
Re: Addressing plan exercise for our IPv6 course
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Jul 23 11:34:09 2010
From: Owen DeLong <owen@delong.com>
In-Reply-To: <87hbjqa5o5.fsf@oban.berlin.quux.de>
Date: Fri, 23 Jul 2010 08:33:19 -0700
To: Jens Link <lists@quux.de>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jul 23, 2010, at 2:50 AM, Jens Link wrote:
> Owen DeLong <owen@delong.com> writes:
>
>> In all reality:
>>
>> 1. NAT has nothing to do with security. Stateful inspection provides
>> security, NAT just mangles addresses.
>
> You know that, I know that and (hopefully) all people on this list know
> that. But NAT == security was and still is sold by many people.
>
So is snake oil.
>> Most customers don't know or care what NAT is and wouldn't know the
>> difference between a NAT firewall and a stateful inspection firewall.
>
> I Agree. But there are also many people who want to believe in NAT as
> security feature.
>
> After one of my talks about IPv6 the firewall admins of a company said
> something like: "So we can't use NAT as an excuse anymore and have to
> configure firewall rules? We don't want this."
>
So how did you answer him?
The correct answer is "No, you don't have to configure rules, you just need
one rule supplied by default which denies anything that doesn't have a
corresponding outbound entry in the state table and it works just like NAT
without the address mangling".
In my experience, other than a small handful of religious zealots, that
explanation is sufficient to get the point across to most such admins.
Owen
