[190451] in North American Network Operators' Group
Re: IPv6 deployment excuses
daemon@ATHENA.MIT.EDU (Masataka Ohta)
Mon Jul 4 22:36:37 2016
X-Original-To: nanog@nanog.org
To: Jared Mauch <jared@puck.Nether.net>
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Date: Tue, 5 Jul 2016 11:34:17 +0900
In-Reply-To: <20160705010018.GC8803@puck.nether.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Jared Mauch wrote:
>> Are you saying, without NAT or something like that to restrict
>> reachable ports, the Internet, regardless of whether it is with
>> IPv4 or IPv6, is not very secure?
>
> I'm saying two things:
>
> 1) UPnP is a security nightmare and nobody (at scale)
> will let you register ports with their CGN/edge.
Don't do that. Just have static port forwarding. UPnP
may be used as a channel to advertise the forwarding
information but you can also do it manually (for reverse
translation, configuring a global IP address and a range
of port numbers is enough).
> 2) We are an industry in transition. Internet connectivity
> will soon be defined by v6 + v4, not v4+ sometimes v6.
Yeah, we have been so for these 20 years.
> Our services need to work for the broadest set of users. Many
> people are now used to the non-e2e results of a NAT/CGN environment.
Exactly. And, as e2e transparency over NAT can be offered to
exceptional people, we can live with IPv4 forever.
Masataka Ohta
