[arin-discuss] Trying to Understand IPV6

Alan Batie alan at peak.org
Mon Sep 13 18:48:19 EDT 2010


On 9/13/10 2:51 PM, Owen DeLong wrote:

> There's nothing security-wise in NAT that isn't available in stateful
inspection.

except fail-safety.

It's inherent in the way NAT works that incoming connections are blocked
unless you specifically do something to forward them.

A stateful firewall router is a router.  It may be implemented with
default rules to block incoming connections, but that is an active
activity that, if it fails for some reason, opens you up.

I'm in favor of banishing NAT also, but recognize that the home router
vendors really need take care that it is clear and obvious when and
which incoming connections are permitted, and to have some hoops to jump
to do it.  In general, get us as close to the NAT default as possible.




More information about the ARIN-discuss mailing list