Re: Why people by NATs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'm sorry to reply so long after the fact, but...

On 23-nov-04, at 3:12, Hans Kruse wrote:

However, most SOHO sites look for a zero-order level of protection against the random worm trying to connect to an open TCP port on the average windows machine (especially one set up for file/print sharing on the SOHO network), and NAT does that just fine.

IPv6 marketing has to take this into account, with a deliberate "here is why the IPv6 gateway provides the same default protection as NAT..." FAQ entry.

Actually in IPv6 you are well-protected against random scanning withough the need for any device in the middle: a /64 subnet is so large, that scanning it is completely infeasible.


Now of course someone who knows your address doesn't have to scan, so this protection isn't complete. But for TCP it's entirely trivial to only allow sessions to be set up in one direction. Full stateful firewalling is of course also possible. However, both these options bring back some of the downsides of NAT: in order to make incoming sessions possible, there must be configuration of some sort.

A default filter that rejects packets for services that are generally intended for local use only would probably be good enough for a residential IPv6 router. Other services are either not enabled and/or firewalled in the host anyway, or the user actually wants them to work.

(It would be incredible helpful to have all these local-use services in a fixed range of port numbers for easy filtering...)


_______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]