[170117] in North American Network Operators' Group
Re: misunderstanding scale
daemon@ATHENA.MIT.EDU (Mark Tinka)
Mon Mar 24 12:40:15 2014
From: Mark Tinka <mark.tinka@seacom.mu>
To: Timothy Morizot <tmorizot@gmail.com>
Date: Mon, 24 Mar 2014 18:35:18 +0200
In-Reply-To: <CAFy81rn0hCCMRcZGhwod_G+Kh2bs93TAxOVys1rsdzvQ55WxXQ@mail.gmail.com>
Cc: NANOG list <nanog@nanog.org>
Reply-To: mark.tinka@seacom.mu
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--nextPart10342951.8J3MzrnYli
Content-Type: Text/Plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
On Monday, March 24, 2014 02:56:13 PM Timothy Morizot wrote:
> NAT traversal is and has long been fairly trivial. NAT
> and RFC1918 provides no meaningful host protection
> whatsoever and never has. The only thing that limits
> direct access to internal networks is a stateful
> firewall. (Well, IPS can also drop packets.) That's true
> for IPv4 and for IPv6. So an enterprise relying n NAT44
> and RFC1918 for internal host protection instead of a
> stateful firewall already has no meaningful security in
> place.
Don't disagree with you there.
I'm saying many an enterprise (small and large) as well as=20
homes operate this way. There is a lot of unlearning to do.
The whole issue is that a number of enterprises "may" only=20
feel safe if IPv6 comes with NAT66, probably on top (or not=20
on top) of a stateful IPv6 firewall.
We need to think about how to re-train the enterprise, if we=20
don't want to repeat the erasure of the end-to-end model,=20
second time around.
Mark.
--nextPart10342951.8J3MzrnYli
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
iQIcBAABAgAGBQJTMF7HAAoJEGcZuYTeKm+GLAUP/2+KOv2ek4lANp7Kv5Us+mAE
noVcZpIZ/e7rave3p5J0q3t/JLe8IFTdgCRwXe4p2scqD1hL+waBAzXd3d+7a8Z7
2Dv1WUawE2wK9xe1CUeEseBkT8zKQWlGtQjFRbK5o6MHoAuAIetHYbv/po92A/6X
UQk7JgL/7m6FPrGfRaqACrg5Z6bG+S2va93dBjdLAt8o3+dPSia39PDban8I0S1F
x5jBlRGqG5yU1sLTU9xUurCV/C+KQDPYDnpvpsHIN4fbxlpGo/MvBIPOZYYgCKXB
XbPDzZYQCKA2DXNWJI48jZeLif/WjrkjvYwCpBUF1wX1tYWc/FLRNabAgsidPOzf
L4yLSyKSm1ArFilti8JAX/NOZA1TvIHYR43Y0j2cfkCZ+IqHRcbUXNf0F6GXkDWs
nzp7HaeLG4SPNUUUz1fEBWNSADxQ1eSFPtZ3rRgPNvcKADN6URXZamzfsve7L6qM
UNWqHzQh2Z76i1+I94z124Km/3S6IyIXhMrfve0YPti3FS/Qfhk4i/YWLU421wcF
PxHxD4+NW/mgiv2XZPX4TzvWGc+6YsKWkoZK2AQFCuW046oYEIUcr9A03gAevLDu
3Dd2roio1yiARYfV18VUMj0K5qL+dX8hBEVFHytQbVBE3SEJ5jljVYspn06xSInV
cLMJvKKpkMHKnaYFTuio
=DYcV
-----END PGP SIGNATURE-----
--nextPart10342951.8J3MzrnYli--
