[134849] in North American Network Operators' Group
RE: Is NAT can provide some kind of protection?
daemon@ATHENA.MIT.EDU (George Bonser)
Wed Jan 12 12:22:30 2011
Date: Wed, 12 Jan 2011 09:21:39 -0800
In-Reply-To: <4D2DDFCC.3020906@brightok.net>
From: "George Bonser" <gbonser@seven.com>
To: "Jack Bates" <jbates@brightok.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
>=20
> I'd eat a hat if a vendor didn't implement a PAT equivalent. It's
> demanded too much. There is money for it, so it will be there.
>=20
>=20
> Jack
Yeah, I think you are right. But in really thinking about it, I wonder
why. The whole point of PAT was address conservation. You don't need
that with v6. All you need to do with v6 is basically have what amounts
to a firewall in transparent mode in the line and doesn't let a packet
in (except where explicitly configure to) unless it is associated with a
packet that went out.
PAT makes little sense to me for v6, but I suspect you are correct. In
addition, we are putting the "fire suit" on each host in addition to the
firewall. Kernel firewall rules on each host for the *nix boxen. =20
