[arin-ppml] IPv6 Non-connected networks
michael.dillon at bt.com
michael.dillon at bt.com
Thu Mar 25 07:29:56 EDT 2010
> Anything that
> NAT does can be achieved with a firewall and a well-designed
> security architecture (such as segregation of hosts into
> proper security zones, etc).
No. You cannot have two layers if you stuff all your security
eggs into one firewall basket. IPv4 NAT allows you to use the
CE router as an additional security layer.
> Don't break IPv6 for the rest of
> us because some people don't know how to design their
> networks. Let those few suffer the consequences rather than
> the rest of us.
First, what you ask is impossible. If the so-called "few" misconfigure
their networks, we all suffer when our customers cannot make our
services work across the other guy's firewall.
Secondly, if you want to do something about this in the IETF's
6ops working group, it would be best to not use the term "NAT"
which is ambiguous and refers to at least 3 different functions
depending on what implementation you are referring to.
It seems quite reasonable to ask that IPv6 CE routers have a
default configuration that fails in the OFF position, and which
only allows incoming packets to sockets that were originated
by devices inside the network. This would still break things
like incoming phonecalls, unless these CE routers had some
way to register devices willing to accept incoming calls. Again,
in an IETF WG, you can make the argument for such technology,
help create it, and make it so.
On ARIN PPML, all you can do is to blow hot air like the rest
of us in this thread.
Why choose to be an airbag when you could whoosh on over to
6ops and build that pneumatic door locker.
> On Wed, 2010-03-24 at 18:51 -0400, Lee Dilkie wrote:
> > Is no one concerned that NAT breaks a lot of networking, especially
> > peer-to-peer, and forces some really inefficient technologies, like
> > SBC's, to exist?
> > There is a lot of network media traffic (example, VoIP) that is
> > unnecessarily backhauled across the internet because of NAT
> and in an
> > NAT-less IPv6 world could use less network resources and be
> more reliable.
> > -lee
> > _______________________________________________
> > PPML
> > You are receiving this message because you are subscribed
> to the ARIN
> > Public Policy Mailing List (ARIN-PPML at arin.net).
> > Unsubscribe or manage your mailing list subscription at:
> > http://lists.arin.net/mailman/listinfo/arin-ppml
> > Please contact info at arin.net if you experience any issues.
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> Please contact info at arin.net if you experience any issues.
More information about the ARIN-PPML