On Thu, 03 Jan 2008 10:17:37 EST, William Herrin said:
In my ever so humble opinion, IPv6 will not reach significant penetration at the customer level until NAT has been thoroughly implemented. Corporate information security officers will insist. Here's the thing: a stateful non-NAT firewall is automatically less secure than a stateful translating firewall. Why? Because a mistake configuring a NAT firewall breaks the network causing everything to stop working while a mistake with a firewall that does no translation causes data to flow unfiltered. Humans being humans, mistakes will be made. The first failure mode is highly preferable.
Which is why, if your site has an *actual* clue, the deployed hosts *also* have their own iptables/ipfilters/whatever-windows-calls-it rulesets that say what hosts are allowed to talk to them. So on the server, I can do: ip6tables -A tcp-in -s ! 2001:468:c80/48 -p tcp --dport 22 -j DROP Now, even if our firewall guys fumble-finger something, I won't get SSH connections coming in from outside AS1312. Of course, I can't talk about business pressures from customers that have incompetent security officers that don't understand stuff like multiple layers of defense...