nanog mailing list archives
Re: Rate of growth on IPv6 not fast enough?
From: Jim Burwell <jimb () jsbc cc>
Date: Wed, 21 Apr 2010 05:46:47 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 4/21/2010 03:38, Mark Smith wrote:
On Tue, 20 Apr 2010 21:16:10 -0700 Owen DeLong <owen () delong com> wrote:Frankly, when you hear people strongly using the argument stateful firewalling == NAT, you start to wonder if they've ever seen a stateful firewall using public addresses.I've run several of them.My comment wasn't a reply to you, more of a general comment about the surprising effort you still need to go to explain that stateful firewalling doesn't mandate NAT. I sometimes wonder if some people's heads would explode if I told them that this PC is directly attached to the Internet, has both public IPv4 and IPv6 addresses, and is performing stateful firewalling - with no NAT anywhere.
I hear ya. Except for simple translations (e.g. one-to-one, whole net xlates), NAT is dependent on SPI, but SPI is not dependent on NAT. But some seem to combine the two into a single inseparable concept. I've definitely run into people who confuse the concepts. And also presume that without NAT there is less or no security. This head definitely wouldn't explode, since back in the early to mid 90s I ran enterprise networks on which all hosts had public IPs and there was no NAT at all. First protected by "dumb filters" on routers, which were fairly quickly replaced by dedicated SPI firewalls (such as Checkpoint). The first couple SPI firewalls I used didn't even *have* NAT capability. Yet, they did a fine job securing my LANs without it. And this is at a time when most workstations and servers on the LAN didn't have firewalls themselves (no OS included FW). Despite it doing the job it was intended to do, I've always seen NAT as a bit of an ugly hack, with potential to get even uglier with LSN and multi-level NAT in the future. I personally welcome a return to a NAT-less world with IPv6. :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvO87cACgkQ2fXFxl4S7sSzQQCfU4Ip5mHkJ/inTfKO/1zih5yY VWUAnjte4aAbrcYvUraMXsUmaPj2JHGA =S3Gn -----END PGP SIGNATURE-----
Current thread:
- Re: Rate of growth on IPv6 not fast enough?, (continued)
- Re: Rate of growth on IPv6 not fast enough? Roger Marquis (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Chris Adams (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Joe Abley (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Owen DeLong (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Daniel Senie (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Owen DeLong (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Mark Smith (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Dave Pooser (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Owen DeLong (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Mark Smith (Apr 21)
- Re: Rate of growth on IPv6 not fast enough? Jim Burwell (Apr 21)
- Re: Rate of growth on IPv6 not fast enough? Dave Sparro (Apr 21)
- Re: Rate of growth on IPv6 not fast enough? Cutler James R (Apr 21)
- Re: Rate of growth on IPv6 not fast enough? Jack Bates (Apr 21)
- Re: Rate of growth on IPv6 not fast enough? Roger Marquis (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Karl Auer (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? joel jaeggli (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Owen DeLong (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Mark Andrews (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Karl Auer (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? joel jaeggli (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? William Herrin (Apr 21)