From: Adrian Chadd (no email)
Date: Mon Jun 04 2007 - 22:29:43 EDT
On Mon, Jun 04, 2007, Iljitsch van Beijnum wrote:
>
> On 4-jun-2007, at 17:37, Donald Stahl wrote:
>
> >>I want NAT to die but I think it won't.
>
> >Far too many "security" folks are dictating actual implementation
> >details and that's fundamentally wrong.
>
> >A security policy should read "no external access to the network"
> >and it should be up to the network/firewall folks to determine how
> >best to make that happen. Unfortunately many security policies go
> >so far as to explicitly require NAT.
>
> Don't forget that the reason NAT works to the degree that it does
> today is because of all the workarounds in applications or protocol-
> specific workarounds in the NATs (ALGs). In IPv6, you don't have any
> of this stuff, so IPv6 NAT gets you nowhere fast with any protocol
> that does more than something HTTP-like. (Yes, I've tried it.)
Won't stateful firewalls have similar issues? Ie, if you craft a stateful
firewall to allow an office to have real IPv6 addresses but not to allow
arbitrary connections in/out (ie, the "stateful" bit), won't said stateful
require protocol tracking modules with similar (but not -as-) complexity
to the existing NAT modules?
Adrian
|
|
|