North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Cool IPv6 Stuff

  • From: Sam Stickland
  • Date: Mon Jun 04 07:38:51 2007

Sander Steffann wrote:
Hi,
In fact, and call me crazy, but I can't help but wonder how many enterprises
out there will see IPv6 and its concept of "real IPs for all machines,
internal and external!" and respond with "Hell No."

Anyone got any numbers for that? I'm happy to admit I don't. :)

No numbers, but the customers I talked to usually have the feeling that
public IP addresses on their machines seems to imply publicly (and thus
unprotected) reachability for those machines. They don't understand the
difference between NAT and stateful firewalls...

This is what leads to the "Hell No" attitude in my case. Educating them
about security seems the only solution.

I think that rather than attempting to educate their customers about security firewall vendors will probably just sell a NAT capable IPv6 firewall. It's the path of least resistance to profit. (A lot of mainstream vendors have helped push the idea that NAT is synonymous with firewalling. Take the Cisco PIX as an example, where up until very recently you had to configure NAT to allow traffic through the device.)

Even people I have spoken that understand the difference between firewalling/reachability and NATing are still in favour of NAT. The argument basically goes "Yes, I understand that have a public address does not neccessarily mean being publically reachable. But having a private address means that [inbound] public reachability is simply not possible without explicit configuration to enable it". i.e. NAT is seen as a extra layer of security.

I want NAT to die but I think it won't.

S