On Monday, March 24, 2014 02:56:13 PM Timothy Morizot wrote: > NAT traversal is and has long been fairly trivial. NAT > and RFC1918 provides no meaningful host protection > whatsoever and never has. The only thing that limits > direct access to internal networks is a stateful > firewall. (Well, IPS can also drop packets.) That's true > for IPv4 and for IPv6. So an enterprise relying n NAT44 > and RFC1918 for internal host protection instead of a > stateful firewall already has no meaningful security in > place.
Don't disagree with you there. I'm saying many an enterprise (small and large) as well as homes operate this way. There is a lot of unlearning to do. The whole issue is that a number of enterprises "may" only feel safe if IPv6 comes with NAT66, probably on top (or not on top) of a stateful IPv6 firewall. We need to think about how to re-train the enterprise, if we don't want to repeat the erasure of the end-to-end model, second time around. Mark.
signature.asc
Description: This is a digitally signed message part.