Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)

• From: Sam Stickland
• Date: Wed Jun 06 07:14:11 2007

On 5/06/2007, at 9:29 PM, <[email protected]> <[email protected]> wrote:

I posit that a screen door does not provide any security.

"Any" is too strong a word. For people living in an area with
malaria-carrying mosquitoes, that screen door may be more important for
security than a solid steel door with a deadbolt. It all depends on what
the risks are, what you are protecting, and where your priorities are.

It is rather odd to see this discussion just a few weeks after the IETF
issued RFC 4864 to address just this misconception of NAT. How many of
the participants have read the RFC? Assuming vendors of cheap consumer
IPv6 gateway boxes implement all the LNP (Local Network Protection)
features of RFC 4864, is there any reason for these boxes to also
support NAT?

As far as I can see the only good reason to put NAT in an IPv6 gateway
is because uneducated consumers demand it as a checklist feature. In
that case, let's hope that it is off by default and that disabling the
NAT does not disrupt any of the other LNP features. That way, when the
customer calls the support desk to complain that they are not getting
SIP calls from Mom, you can tell them to turn off the NAT and try again.

Precisely.
I don't think anyone is suggesting that you should put NAPT in an IPv6 gateway. A few days ago it was suggested by Sam Stickland that a blocker to moving to IPv6 was the lack of NAPT, and the security features that are an integral part of it's functionality.

• References:
  • RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) David Schwartz
  • Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Owen DeLong
  • RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) michael.dillon
  • Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Nathan Ward

• Prev by Date: Re: Cool IPv6 Stuff
• Next by Date: Re: Security gain from NAT
• Date Index
• Thread Index
• Author Index
• Historical