- Previous message: Donald Stahl: "Re: Cool IPv6 Stuff"
- In reply to: Donald Stahl: "Re: Cool IPv6 Stuff"
- Next in thread: Adrian Chadd: "Re: Cool IPv6 Stuff"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
|
|
|
From: Iljitsch van Beijnum (no email)
Date: Mon Jun 04 2007 - 12:04:04 EDT
On 4-jun-2007, at 17:37, Donald Stahl wrote:
>> I want NAT to die but I think it won't.
> Far too many "security" folks are dictating actual implementation
> details and that's fundamentally wrong.
> A security policy should read "no external access to the network"
> and it should be up to the network/firewall folks to determine how
> best to make that happen. Unfortunately many security policies go
> so far as to explicitly require NAT.
Don't forget that the reason NAT works to the degree that it does
today is because of all the workarounds in applications or protocol-
specific workarounds in the NATs (ALGs). In IPv6, you don't have any
of this stuff, so IPv6 NAT gets you nowhere fast with any protocol
that does more than something HTTP-like. (Yes, I've tried it.)
If people want to have their boxes on unroutable IPv6 space, my
advice would be to forget NAT and do proxying instead. Proxying also
has the advantage that doesn't care about the difference between IPv4
and IPv6, a dual stack proxy gives you access to both. Obviously
proxying doesn't work for certain classes of applications, but I
should hope that's the point. If you want to be on private address
space and still enjoy a good deal of (peer-to-peer) connectivity (=
NAT), PLEASE do yourself and the people you want to communicate with
a favor and stay in IPv4.
|
|
|