[128187] in North American Network Operators' Group
Re: Addressing plan exercise for our IPv6 course
daemon@ATHENA.MIT.EDU (Jens Link)
Mon Jul 26 00:26:03 2010
To: nanog list <nanog@nanog.org>
From: Jens Link <lists@quux.de>
Date: Mon, 26 Jul 2010 06:24:04 +0200
In-Reply-To: <38E7A759-F062-4F0B-903F-29B4C1F66DF7@delong.com> (Owen DeLong's
message of "Fri\, 23 Jul 2010 08\:33\:19 -0700")
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Owen DeLong <owen@delong.com> writes:
>> You know that, I know that and (hopefully) all people on this list know
>> that. But NAT == security was and still is sold by many people.
>>
> So is snake oil.
Ack, but people are still buying snake oil too.
>> After one of my talks about IPv6 the firewall admins of a company said
>> something like: "So we can't use NAT as an excuse anymore and have to
>> configure firewall rules? We don't want this."
>>
> So how did you answer him?
To be honest: I don't remember. I got drunk that evening. ;-)
> The correct answer is "No, you don't have to configure rules, you just need
> one rule supplied by default which denies anything that doesn't have a
> corresponding outbound entry in the state table and it works just like NAT
> without the address mangling".
They used NAT as an excuse not to let some applications to the
outside.
Jens
--
-------------------------------------------------------------------------
| Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 |
| http://blog.quux.de | jabber: jenslink@guug.de | ------------------- |
-------------------------------------------------------------------------
