[arin-ppml] inevitability of NAT?

Owen DeLong owen at delong.com
Tue Feb 8 21:32:45 EST 2011


On Feb 8, 2011, at 5:31 PM, Mark Andrews wrote:

> 
> In message <014d01cbc7cc$226f81e0$674e85a0$@iname.com>, "Frank Bulk" writes:
>> Due to device (storage) limitations D-Link wasn't able to put a firewall in
>> many of its IPv-6 capable releases for its different hardware models, but
>> DIR-655 is supposed to support SPI.
>> 
>> Frank
> 
> Also IPv6 equipment should be capable of being put on the net without
> a seperate firewall.  If it isn't then the product really isn't fit
> for the purpose it was designed for.  Its been a hostile net for
> the entire time IPv6 has existed and that should have been factored
> into the design.  A seperate firewall provides additional isolation
> but shouldn't be needed.
> 
Agreed.

> Giving a device a ULA and not a public address if it doesn't need to
> talk to the world will give you as much protection as a NAT gives.
> 
Which is to say nearly none at all, with the additional disadvantage
that you can't actually talk to the outside world at all, unlike NAT which
provides limited broken connectivity to the outside world.

> Feature parity should also be there.  I've got a Brother network
> printer that has accept/deny filters for IPv4 but not for IPv6.  I
> don't know what they were thinking.  IPv6 doesn't need accept/deny
> filters but IPv6 does?  It would have been less than a days work
> to add them as they already have them working for IPv4.  A bit more
> for testing and documentation.  At least I can set the IPv6 address
> statically to a ULA.
> 
I think you meant "...but IPv4 does?"

I agree that many of the device manufacturers aren't getting it yet.
I think there are lots of lessons to be learned in the CE and CPE
worlds yet. Unfortunately, many of them are lessons network engineers
mostly already learned from IPv4, but, for some reason, the manufacturers
are choosing to ignore them in their first rounds of IPv6 devices.

Two years ago, it was hard to find IPv6 devices at all. Now we have
deficient IPv6 devices. Hopefully by the next round, we'll start to see
capable IPv6 devices.

At least the situation seems to be moving in the generally correct
direction.

Owen




More information about the ARIN-PPML mailing list