[136495] in North American Network Operators' Group
RE: quietly....
daemon@ATHENA.MIT.EDU (Jon Lewis)
Thu Feb 3 11:20:36 2011
Date: Thu, 3 Feb 2011 11:16:18 -0500 (EST)
From: Jon Lewis <jlewis@lewis.org>
To: Brian Johnson <bjohnson@drtel.com>
In-Reply-To: <F05D77A9631CAE4097F7B69095F1B06F0386FC@EX02.drtel.lan>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, 3 Feb 2011, Brian Johnson wrote:
>> 3) To give all your outbound sessions a mutual appearance, so as to
>> confound those attempting to build a profile of your activity.
>
> So this goes back to security through obscurity. OK.
There's an awful lot of inertia in the "NAPT/firewall keeps our hosts
safe from the internet" mentality. Sure, a stateful firewall can be
configured allow all outbound traffic and only connected/related inbound.
When someone breaks or shuts off that filter, traffic through the NAPT
firewall stops working. On the stateful firewall with public IPs on both
sides, everything works...including the traffic you didn't want.
People are going to want NAT66...and not providing it may slow down IPv6
adoption.
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
