Re: IPV4 is nearly depleted, are you ready for IPV6?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 06/12/10 15:53, Ross Walker wrote:
> On Dec 6, 2010, at 8:37 AM, Adam Tauno Williams <awilliam@xxxxxxxxxxxxx> wrote:
> 
>> NO NO NO NO NO NO NO and NO!  (*@!^&*@$ &@*^*&$@  &*@^*&@  How many
>> times does this have to be explained???  NAT *IS* *NOT* a @*(&^*(^@(*@
>> security tool.  It isn't.  Stop saying it is.  You use *firewalls* for
>> security.  Just block ingress traffic and you are just as well off as
>> you are on NAT - and odds are in your NAT configure you are doing that
>> already.  All you do is eliminate the hacks, performance penalty, and
>> interoperability problems created by NAT.  NAT is a *problem*, not a
>> solution for anything other than a deficient network protocol.
> 
> There is no arguing that NAT is not a security tool, but if your
> firewall drops it's pants it's better to have non-routable addresses
> behind it.

Good point.  I'm just thinking out loud.

What if the gateway/router/firewall does not know about the IPv6 network
on the network interface where this "sensitive" IPv6 net is.

And does it really need to be connected to this gateway at all, if it
shouldn't be available to other networks at all?  And if there are some
odd reasons for doing so, what about having this IPv6 subnet in a
separate VLAN without a IPv6 gateway to the rest of the world?


kind regards,

David Sommerseth

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux