nanog mailing list archives
Re: IPv6 uptake (was: The Reg does 240/4)
From: "Brandon Butterworth" <brandon () bogons net>
Date: Sat, 17 Feb 2024 21:24:20 +0000
On 17/02/2024, 19:27:20, "William Herrin" <bill () herrin us> wrote:
So it does not surprise me that a 1994 book on network security would not have discussed NAT. They'd have referred to the comparable contemporary technology, which was "transparent application layer gateways." Those behaved like what we now call NAT but did the job a different way: instead of modifying packets, they terminated the connection and proxied it.
And that was a very desired feature plus the address isolation, then and for decades since. The clients IP stack was not trusted to interact directly with external hosts. See socks proxy too (and later Squid). It is still in use today in some places. There were stateful firewalls but trust was reduced when the Firewall 1 undocumented and not unconfigurable default DNS UDP inbound rule was discovered, it let anyone on the Internets "DNS" packets reach any host on the inside they could guess the address of. The "what if the product does allow packets in it is expected not to" consideration drove having unreachable internal addressing. Clicking on rules and assuming it is all good forever more through product revisions was not sufficient. Every version would need a significant re audit and probably miss any real problem. How are people validating their firewall does what they think it does? brandon
Current thread:
- Re: IPv6 uptake (was: The Reg does 240/4), (continued)
- Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) sronan (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Ryan Hamel (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Brandon Butterworth (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Greg Skinner via NANOG (Feb 18)
- Re: IPv6 uptake (was: The Reg does 240/4) Michael Thomas (Feb 18)
- Re: IPv6 uptake Nick Hilliard (Feb 18)
- Re: IPv6 uptake Michael Thomas (Feb 18)
- Re: IPv6 uptake Nick Hilliard (Feb 18)
- Re: IPv6 uptake Michael Thomas (Feb 18)
- Re: IPv6 uptake Nick Hilliard (Feb 18)
- Re: IPv6 uptake John Levine (Feb 18)
- RE: IPv6 uptake (was: The Reg does 240/4) Howard, Lee via NANOG (Feb 19)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 19)