[186512] in North American Network Operators' Group
RE: Nat
daemon@ATHENA.MIT.EDU (Chuck Church)
Sun Dec 20 22:54:55 2015
X-Original-To: nanog@nanog.org
From: "Chuck Church" <chuckchurch@gmail.com>
To: "'Matt Palmer'" <mpalmer@hezmatt.org>,
<nanog@nanog.org>
In-Reply-To: <20151221032820.GI7692@hezmatt.org>
Date: Sun, 20 Dec 2015 22:54:49 -0500
Errors-To: nanog-bounces@nanog.org
-----Original Message-----
From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Matt Palmer
Sent: Sunday, December 20, 2015 10:29 PM
To: nanog@nanog.org
Subject: Re: Nat
>Depends on how many devices you have on it. Once you start filling your
home with Internet of Unpatchable Security Holes devices, having everything
on a single ethernet >segment might start to get a little... noisy.
>Thankfully, IPv6 has well-defined multicast scopes, which makes it
trivially easy to do cross-L2-segment service discovery without needing to
resort to manually berking around >with firewall rules.
>- Matt
If your home is full of unpatched or compromised hosts, and they're using
these well-defined multicast scopes, doesn't that mean they can now
communicate and infect one another? For years I've seen people on this list
insist on "NAT/PAT != firewall". Well, a router routing everything it sees
is even less of a firewall. I'm really not trying to be argumentative here,
but I'm just having a hard time believing Joe Sixpack will be applying
business networking principals such as micro-segmenting to a home network
with 3 to 7 devices on it. If anything, these complexities we keep
adding/debating such as DHCP vs RA, prefix delegation, etc are only slowing
down the general deployment of IPv6.
Chuck
