[97195] in North American Network Operators' Group
Re: Cool IPv6 Stuff
daemon@ATHENA.MIT.EDU (Donald Stahl)
Mon Jun 4 11:38:02 2007
Date: Mon, 4 Jun 2007 11:37:11 -0400 (EDT)
From: Donald Stahl <don@calis.blacksun.org>
To: Sam Stickland <sam_mailinglists@spacething.org>
Cc: Sander Steffann <s.steffann@computel.nl>,
'Adrian Chadd' <adrian@creative.net.au>,
'NANOG list' <nanog@nanog.org>
In-Reply-To: <4663F956.4020601@spacething.org>
Errors-To: owner-nanog@merit.edu
> Even people I have spoken that understand the difference between
> firewalling/reachability and NATing are still in favour of NAT. The argument
> basically goes "Yes, I understand that have a public address does not
> neccessarily mean being publically reachable. But having a private address
> means that [inbound] public reachability is simply not possible without
> explicit configuration to enable it". i.e. NAT is seen as a extra layer of
> security.
>
> I want NAT to die but I think it won't.
Far too many "security" folks are dictating actual implementation details
and that's fundamentally wrong.
A security policy should read "no external access to the network" and it
should be up to the network/firewall folks to determine how best to make
that happen. Unfortunately many security policies go so far as to
explicitly require NAT.
-Don
