nanog mailing list archives

Re: IPv6 uptake (was: The Reg does 240/4)

From: William Herrin <bill () herrin us>
Date: Fri, 16 Feb 2024 15:01:49 -0800

On Fri, Feb 16, 2024 at 2:19 PM Jay R. Ashworth <jra () baylink com> wrote:

From: "Justin Streiner" <streinerj () gmail com>
4. Getting people to unlearn the "NAT=Security" mindset that we were forced
to accept in the v4 world.


NAT doesn't "equal" security.

But it is certainly a *component* of security, placing control of what internal
nodes are accessible from the outside in the hands of the people inside.


Hi Jay,

Every firewall does that. What NAT does above and beyond is place
control of what internal nodes are -addressable- from the outside in
the hands of the people inside -- so that most of the common mistakes
with firewall configuration don't cause the internal hosts to -become-
accessible.

The distinction doesn't seem that subtle to me, but a lot of folks
making statements about network security on this list don't appear to
grasp it.

Regards,
Bill Herrin


-- 
William Herrin
bill () herrin us
https://bill.herrin.us/

Current thread:

Re: The Reg does 240/4, (continued)
- - - Re: The Reg does 240/4 Brian Knight via NANOG (Feb 15)
    - Re: The Reg does 240/4 Mike Hammett (Feb 16)
    - RE: The Reg does 240/4 Howard, Lee via NANOG (Feb 16)
    - Re: The Reg does 240/4 Tom Beecher (Feb 15)
    - IPv6 uptake (was: The Reg does 240/4) Stephen Satchell (Feb 15)
    - Re: IPv6 uptake (was: The Reg does 240/4) Mark Andrews (Feb 15)
    - Re: IPv6 uptake (was: The Reg does 240/4) John Levine (Feb 15)
    - Re: IPv6 uptake (was: The Reg does 240/4) Justin Streiner (Feb 15)
    - Re: IPv6 uptake (was: The Reg does 240/4) Stephen Satchell (Feb 15)
    - Re: IPv6 uptake (was: The Reg does 240/4) Jay R. Ashworth (Feb 16)
    - Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
    - Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 16)
    - Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
    - Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 16)
    - Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
    - Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 16)
    - Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
    - Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 17)
    - Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 17)
    - Re: IPv6 uptake (was: The Reg does 240/4) sronan (Feb 16)
    - Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)

(Thread continues...)