Re: Important IPv6 Policy Issue -- Your Input Requested
"Get a firewall" is not a valid response when you have lusers to drop the latest netgear whatever onto their PC and dial to some provider somewhere. Your firewall is useless to protect that segment. In many cases NAT is the ONLY protection you end up with in this scenario, a scenario that is far to common in the corporate world. Jerry -------Original Message------- From: Theo de Whaat Date: 11/09/04 15:28:44 To: jeyers@sloancc.net Subject: Re: Important IPv6 Policy Issue -- Your Input Requested Get a firewall. You shouldn't rely on NAT to provide this functionality. How long has IPv6 been on the horizon, promising to make NAT unnecessary?
I want my inside addresses to be non accessible from the 'real world', ever.
On Wed, Nov 10, 2004 at 03:14:51AM -0500, Jerry Eyers wrote:
"Get a firewall" is not a valid response when you have lusers to drop the latest netgear whatever onto their PC and dial to some provider somewhere. Your firewall is useless to protect that segment. In many cases NAT is the ONLY protection you end up with in this scenario, a scenario that is far to common in the corporate world.
Jerry
Then get a stateful firewall. NAT == stateful fw + header map/mod done/done. -J -- James Jun TowardEX Technologies, Inc. Technical Lead IPv4 and Native IPv6 Colocation, Bandwidth, james@towardex.com and Web Hosting Services in the Metro Boston area cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net
"Get a firewall" is not a valid response when you have lusers to drop the latest netgear whatever onto their PC and dial to some provider somewhere. Your firewall is useless to protect that segment. In many cases NAT is the ONLY protection you end up with in this scenario, a scenario that is far to common in the corporate world.
and do explain how a user coming in with their laptop and dialing a provider is gonna be affected by your nat randy
and do explain how a user coming in with their laptop and dialing a provider is gonna be affected by your nat
If IPv6 had "local scope" addresses, then NAT would not be necessary to prevent traffic from flowing through the unauthorized link. I know that the IETF has deprecated local scope addresses but I'm curious whether any of the router vendors currently support local scope addresses in their equipment. --Michael Dillon
On Wed, 2004-11-10 at 14:46 +0000, Michael.Dillon@radianz.com wrote:
and do explain how a user coming in with their laptop and dialing a provider is gonna be affected by your nat
If IPv6 had "local scope" addresses, then NAT would not be necessary to prevent traffic from flowing through the unauthorized link. I know that the IETF has deprecated local scope addresses but I'm curious whether any of the router vendors currently support local scope addresses in their equipment.
"local scope" is back in the form of the ULA stuff. Which takes away the problem of local scope which was merely RFC1918. Routing vendors in general don't really care about those things. Otherwise they would have long gone been pre-configuring rfc1918 filters and other want-to-haves per default, but they don't. Remember that when there is a problem, somebody needs to be called (and thus payed) for support. NAT is a nice money business... "It doesn't work, let's call the expensive NAT guru" Greets, Jeroen
On Wed, 10 Nov 2004 03:14:51 EST, Jerry Eyers said:
"Get a firewall" is not a valid response when you have lusers to drop the latest netgear whatever onto their PC and dial to some provider somewhere. Your firewall is useless to protect that segment. In many cases NAT is the ONLY protection you end up with in this scenario, a scenario that is far to common in the corporate world.
And NAT does what, exactly, to defend you against a PC that has one interface on the NAT'ed network and one interface "elsewhere/elsewhen" (be it a netgear, or somebody at the far end of a VPN, or a laptop that was connected externally, and now is on the corporate LAN)? There's a *reason* why Bill Cheswick said "A crunchy shell around a soft, chewy inside"......
participants (6)
-
James
-
Jeroen Massar
-
Jerry Eyers
-
Michael.Dillon@radianz.com
-
Randy Bush
-
Valdis.Kletnieks@vt.edu