|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
From: "Patrick W. Gilmore" <patrick@ianai.net> In-Reply-To: <CAP-guGUsNghSC2Te-L50=zXOuAYmTm1cOdLYyNHP7Grqso-8qA@mail.gmail.com> Date: Mon, 24 Mar 2014 13:05:11 -0400 To: North American Operators' Group <nanog@nanog.org> Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org On Mar 24, 2014, at 12:21, William Herrin <bill@herrin.us> wrote: > On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve <SNaslund@medline.com> wr= ote: >> I am not sure I agree with the basic premise here. NAT or Private addre= ssing does not equal security. > Many of the folks you would have deploy IPv6 do not agree. They take > comfort in the mathematical impossibility of addressing an internal > host from an outside packet that is not part of an ongoing session. > These folks find that address-overloaded NAT provides a valuable > additional layer of security. >=20 > Some folks WANT to segregate their networks from the Internet via a > general-protocol transparent proxy. They've had this capability with > IPv4 for 20 years. IPv6 poorly addresses their requirement. NAT i s not required for the above. Any firewall can stop incoming packets u= nless they are part of an established session. NAT doesn't add much of anyth= ing, especially given that you can have one-to-one NAT. --=20 TTFN, patrick
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |