Re: IPv6 uptake (was: The Reg does 240/4)

[Matthew Walster via NANOG <nanog () nanog org>]

On Sun, 18 Feb 2024, 05:29 Owen DeLong via NANOG, <nanog () nanog org> wrote:

> Most firewalls are default deny. Routers are default allow unless you put
> a filter on the interface.

This is not relevant though. NAT when doing port overloading, as is the
case for most CPE, is not default-deny or default-allow. The OS processes
the packet just like normal and sends an ICMP back unless there is another
firewall that says drop. NAPT adds temporary rewrite rules for each flow
that goes outbound.

NAT adds nothing to security (Bill and I agree to disagree on this), but at
> best, it complicates the audit trail.

It absolutely does add something. Whether that something is valuable or not
depends on your vantage point, and I'd say it's better than nothing, but
there are better solutions available.

M

>