[170203] in North American Network Operators' Group
Re: misunderstanding scale
daemon@ATHENA.MIT.EDU (Owen DeLong)
Mon Mar 24 23:08:58 2014
From: Owen DeLong <owen@delong.com>
In-Reply-To: <CAP-guGUsNghSC2Te-L50=zXOuAYmTm1cOdLYyNHP7Grqso-8qA@mail.gmail.com>
Date: Mon, 24 Mar 2014 20:02:51 -0700
To: William Herrin <bill@herrin.us>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 24, 2014, at 9:21 AM, William Herrin <bill@herrin.us> wrote:
> On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve =
<SNaslund@medline.com> wrote:
>> I am not sure I agree with the basic premise here. NAT or Private =
addressing does not equal security.
>=20
> Hi Steve,
>=20
> It is your privilege to believe this and to practice it in the
> networks you operate.
>=20
> Many of the folks you would have deploy IPv6 do not agree. They take
> comfort in the mathematical impossibility of addressing an internal
> host from an outside packet that is not part of an ongoing session.
> These folks find that address-overloaded NAT provides a valuable
> additional layer of security.
Which impossibility has been disproven multiple times.
> Some folks WANT to segregate their networks from the Internet via a
> general-protocol transparent proxy. They've had this capability with
> IPv4 for 20 years. IPv6 poorly addresses their requirement.
Actually, there are multiple implementations of transparent proxies =
available
for IPv6. NAT isn=92t the same thing at all.
If you want to make your life difficult in IPv6, you can. Nobody =
prevents you from
doing so. It is discouraged and non-sensical, but quite possible at this =
point.
Owen
