On Oct 18, 2010, at 8:47 AM, George Bonser wrote:
-----Original Message----- From: Henning Brauer Sent: Monday, October 18, 2010 8:36 AM To: nanog@nanog.org Subject: Re: Only 5x IPv4 /8 remaining at IANA
instead of working on a viable alternative that doesn't suck. Which is certainly possible.
I would say that at this point it is too late to resist v6 deployment but it might be a good time to work on the "next thing" and use v6 as an example of how not to do it next time.
It certainly is going to present some security challenges for some folks, particularly the ones that have been using dynamic nat pools to, in effect, block inbound connections. Firewall vendors are going to see a windfall from v6, I think.
G
Nobody is using dynamic nat pools to block inbound connections. Many people are using dynamic NAT on top of stateful inspection where stateful inspection blocks inbound connections. The good news is that stateful inspection doesn't go away in IPv6. It works just fine. All that goes away is the header mangling. It's really unfortunate that most people don't understand the distinction. If they did, it would help them to realize that NAT doesn't actually do anything for security, it just helps with address conservation (although it has some limits there, as well). IPv6 with SI is no less secure than IPv4 with SI+NAT. If you're worried about address and/or topological obfuscation, then, IPv6 offers you privacy addresses with rotating numbers. However, that's more a privacy issue than a security issue, unless you believe in the idea of security through obscurity which is pretty well proven false. Owen