North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Cool IPv6 Stuff

  • From: Donald Stahl
  • Date: Mon Jun 04 11:38:24 2007


Even people I have spoken that understand the difference between firewalling/reachability and NATing are still in favour of NAT. The argument basically goes "Yes, I understand that have a public address does not neccessarily mean being publically reachable. But having a private address means that [inbound] public reachability is simply not possible without explicit configuration to enable it". i.e. NAT is seen as a extra layer of security.

I want NAT to die but I think it won't.
Far too many "security" folks are dictating actual implementation details and that's fundamentally wrong.

A security policy should read "no external access to the network" and it should be up to the network/firewall folks to determine how best to make that happen. Unfortunately many security policies go so far as to explicitly require NAT.

-Don