RE: NATs as firewalls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> From: michael.dillon@xxxxxx [mailto:michael.dillon@xxxxxx] 

> IPv6 is also a technology refresh, i.e. it forces vendors to 
> reimplement their boxes. It forces people to buy new systems. 
> If the only thing that they get is a new protocol with wider 
> addresses, then they will see this as a generally negative 
> experience and wonder why people with more money couldn't 
> just buy IPv4 addresses from those with less. Let them eat NAT!

Quite, the bigger address space does not necessarily drive adoption in the way we would wish. Population pressure in Europe continued to bid up the value of land there even after the discovery of the New World. 

Even though there was no shortage of space in the New World (if you were prepared to push aside the indigenous population) it was three centuries before the infrastructure there made the land equally attractive.

> But, if there are clear guidelines for IPv6 gateways that 
> focus on enabling functionality then people will see a value 
> in upgrading. An explicit firewall service is a value. No NAT 
> thus enabling more peer-to-peer applications is a value. 
> There could be more to it as well.

You conflate an implementation with a requirement.

Enabling peer-to-peer applications, in particular video conferencing is the value. ANY means of enabling the benefit works.

The chief challenge however is how to open up the network to inbound TCP requests without creating a security melt-down. Eliminating NAT does not by itself eliminate the network issue. Once you start to look at ways of managing the network security issue the question of addresses becomes moot.


> For instance, if we accept the model that the majority of 
> Internet hosts will communicate with the core via stateful 
> gateways, then there is the possibility of a standard way for 
> an application to communicate with its local stateful gateway 
> in order to change the state, rather than implementing things 
> like STUN (Simple Traversal of UDP through NAT).
> That too, would be a value for the buyer of a standard 
> Internet gateway.

This is the model that I prefer. It allows me to meet a set of security objectives that is considerably more restrictive than anything on the market today yet also make use of video conferencing and other peer to peer configurations practical.

One of the keys here is to step back from administering hosts and instead look at ways to configure the network.

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]