[64631] in North American Network Operators' Group
Re: [arin-announce] IPv4 Address Space (fwd)
daemon@ATHENA.MIT.EDU (Miquel van Smoorenburg)
Wed Oct 29 14:32:27 2003
To: nanog@merit.edu
From: "Miquel van Smoorenburg" <miquels@cistron.nl>
Date: Wed, 29 Oct 2003 19:31:43 +0000 (UTC)
X-Complaints-To: abuse@cistron.nl
Errors-To: owner-nanog-outgoing@merit.edu
In article <cistron.Pine.LNX.4.44.0310291228200.29539-100000@login1.fas.harvard.edu>,
Scott McGrath <mcgrath@fas.harvard.edu> wrote:
>And sometimes you use NAT because you really do not want the NAT'ed device
>to be globally addressible but it needs to have a link to the outside to
>download updates. Instrument controllers et.al.
I don't understand. What is the difference between a /24 internal
NATted network, and a /64 internal IPv6 network that is firewalled
off: only paclets to the outside allowed, and packets destined for
the inside need to have a traffic flow associated with it.
As I see it, NAT is just a stateful firewall of sorts. A broken one,
so why not use a non-broken solution ?
We can only hope that IPv6 capable CPE devices have that sort
of stateful firewalling turned on by default. Or start educating
the vendors of these el-cheopo CPE devices so that they will
all have that kind of firewalling enabled before IPv6 becomes
mainstream.
Mike.
