[128229] in North American Network Operators' Group
Re: Addressing plan exercise for our IPv6 course
daemon@ATHENA.MIT.EDU (Akyol, Bora A)
Tue Jul 27 15:05:39 2010
From: "Akyol, Bora A" <bora@pnl.gov>
To: Owen DeLong <owen@delong.com>
Date: Tue, 27 Jul 2010 12:05:19 -0700
In-Reply-To: <8AC1FEFF-C2A5-4063-BB26-8F11BB1985EE@delong.com>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Please see comments inline.
On 7/22/10 10:13 PM, "Owen DeLong" <owen@delong.com> wrote:
> In all reality:
>=20
> 1. NAT has nothing to do with security. Stateful inspection provides
> security, NAT just mangles addresses.
Of course, the problem is that there are millions of customers that believe
that NAT =3D=3D security. This needs to change.
>=20
> 2. In the places where NAT works, it does so at a terrible cost. It
> breaks a number of things, and, applications like Skype are
> incredibly more complex pieces of code in order to solve NAT
> traversal.
I look at this as water under the bridge. Yep, it was complicated code and
now it works. I can run bittorrent just fine beyond an Apple wireless route=
r
and I did nothing to make that work. Micro-torrent just communicates with
the router to make the port available.
> The elimination of NAT is one of the greatest features of IPv6.
>=20
> Most customers don't know or care what NAT is and wouldn't know the
> difference between a NAT firewall and a stateful inspection firewall.
>=20
> I do think that people will get rid of the NAT box by and large, or, at l=
east
> in IPv6, the box won't be NATing.
>=20
> Whether or not they NAT it, it's still better to give the customer enough
> addresses that they don't HAVE to NAT.
>=20
> Owen
>
Of course, no disagreement there. The real challenge is going to be
education of customers so that they can actually configure a firewall polic=
y
to protect their now-suddenly-addressable-on-the-Internet home network. I
would love to see how SOHO vendors are going to address this.
