On Thu, Apr 17, 2014 at 9:05 PM, William Herrin <bill@herrin.us> wrote:
Here's the drill: From an enterprise security perspective, deploying IPv6 is high risk. I have to re-implement every rule I set on my IPv4 addresses all over again with my IPv6 addresses and hope I don't screw it up in a way that lets an adversary wander right in. That risk is compounded exponentially if the _initial_ deployment can't follow an identical security posture to the IPv4 system. Without availability of the kind of NAT present in the IPv4 deployment, I have a problem whose solution is: sorry network team, return when the technology is mature.
It's a bigger risk to think that NAT somehow magically protects you against stuff on the Internet. Also, if your problem is that someone can screw up firewalls rules, then you have bigger issue in your organization than IPv6. There's a fair argument to be made which says that kind of NAT is
unhealthy. If its proponents are correct, they'll win that argument later on with NAT-incompatible technology that enterprises want. After all, enterprise security folk didn't want the Internet in the corporate network at all, but having a web browser on every desk is just too darn useful. Where they won't win that argument is in the stretch of maximum risk for the enterprise security folk.
Any technology has associated risks, it's a matter of how you reduce/mitigate them. This paranoia thingie about IPv6 is getting a bit old. Just because you don't (seem to) understand how it works, it doesn't mean no one else should use it. Eugeniu