North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)
On 5/06/2007, at 9:29 PM, <[email protected]> <[email protected]> wrote:
Precisely. I don't think anyone is suggesting that you should put NAPT in an IPv6 gateway. A few days ago it was suggested by Sam Stickland that a blocker to moving to IPv6 was the lack of NAPT, and the security features that are an integral part of it's functionality. The comment was then made (I think by Owen DeLong, although he implied it instead of stating it clearly) that stateful inspection can be done independently of NAPT, and that the anonymity can be provided by the privacy extensions was mentioned by both myself and someone else. Noone has disputed either of those two points so far. The counterpoint seems to be that you get stateful inspection with NAPT, which isn't really disputed, as it's obvious. It seems that that's been misinterpreted as people suggesting that instead of IPv6 and SI+Privacy, we go with IPv6 and NAPT, and to that people are saying "Just use SI". I'm unclear as to why this is still being discussed to be honest, as noone is claiming that NAPT provides additional security over SI +Privacy, which was presented as a solution to the original concern. The rest seems to just be trying to pick holes in misinterpretations of each others posts, which doesn't really go anywhere, let alone make sense. As I see it, the next step for everyone here is educating people that NAPT-equivalent security can be provided in other ways. Let's focus our energies on that, instead of pointless debate. So, when talking to your CPE vendor about IPv6, make SI a requirement, and encourage end users to turn on Privacy extensions for address selection. It shouldn't be a hard sell at all - the only consumer grade routers that I'm aware of that do IPv6 are the Cisco 8xx, and the Apple Airport Extreme (n). Both do SI, the Airport does it by default (now). -- Nathan Ward
|