[128230] in North American Network Operators' Group
Re: Addressing plan exercise for our IPv6 course
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Jul 27 15:39:20 2010
From: Owen DeLong <owen@delong.com>
In-Reply-To: <C8747BFF.286A%bora@pnl.gov>
Date: Tue, 27 Jul 2010 12:34:40 -0700
To: "Akyol, Bora A" <bora@pnl.gov>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jul 27, 2010, at 12:05 PM, Akyol, Bora A wrote:
> Please see comments inline.
>=20
>=20
> On 7/22/10 10:13 PM, "Owen DeLong" <owen@delong.com> wrote:
>=20
>> In all reality:
>>=20
>> 1. NAT has nothing to do with security. Stateful inspection =
provides
>> security, NAT just mangles addresses.
> Of course, the problem is that there are millions of customers that =
believe
> that NAT =3D=3D security. This needs to change.
>>=20
>> 2. In the places where NAT works, it does so at a terrible cost. =
It
>> breaks a number of things, and, applications like Skype are
>> incredibly more complex pieces of code in order to solve NAT
>> traversal.
>=20
> I look at this as water under the bridge. Yep, it was complicated code =
and
> now it works. I can run bittorrent just fine beyond an Apple wireless =
router
> and I did nothing to make that work. Micro-torrent just communicates =
with
> the router to make the port available.
>=20
It's only water under the bridge for IPv4. If we start putting NAT66 =
into play,
it will be the same thing all over again.
Additionally, it's only water under the bridge for existing =
applications. Each
new application seems to go through the same exercise because for some
reason, no two NAT gateways seem to have exactly the same traversal
requirements and no two applications seem to implement the same set
of traversal code.
>=20
>> The elimination of NAT is one of the greatest features of IPv6.
>>=20
>> Most customers don't know or care what NAT is and wouldn't know the
>> difference between a NAT firewall and a stateful inspection firewall.
>>=20
>> I do think that people will get rid of the NAT box by and large, or, =
at least
>> in IPv6, the box won't be NATing.
>>=20
>> Whether or not they NAT it, it's still better to give the customer =
enough
>> addresses that they don't HAVE to NAT.
>>=20
>> Owen
>>=20
>=20
> Of course, no disagreement there. The real challenge is going to be
> education of customers so that they can actually configure a firewall =
policy
> to protect their now-suddenly-addressable-on-the-Internet home =
network. I
> would love to see how SOHO vendors are going to address this.
>=20
Not so much... SOHO gateways should implement stateful inspection
with the same default policy a NAT box provides today...
1. Outbound packets create a state table entry.
2. Inbound packets are only forwarded if they match an existing
state table entry.
Pretty simple, actually.
Owen
