On Sun, 18 Apr 2010, Edward Ned Harvey wrote: >> From: discuss-boun...@lopsa.org [mailto:discuss-boun...@lopsa.org] On >> Behalf Of Yves Dorfsman >> >> NAT is used to let more devices use the internet, than the number of >> public ip >> addresses that available to the organisation. >> >> But I know a few companies that ended up with a class B network, only >> have a >> few thousand internal nodes (< 20 K), but still use NAT for "security >> reasons", to hide their internal infrastructure. I'm not really sure it >> adds >> any level of security, but have found that this idea (myth?) is >> commonly accepted. >> >> Will people still use NAT with IPv6? Anybody worked for a medium size >> organisation with several thousand nodes and IPv6? What did you/they >> do? > > I see no reason to use NAT with IPv6. Formerly, it provided some level of > security, because it's implicitly blocking inbound traffic except as > established/related, but it would be smarter, if you want that, just to > create a rule to block inbound traffic. > > However, a lot of companies will probably continue with their "Block all > access to the Internet, and make all our internal users go through a proxy" > policies. Which I hate.
NAT is also useful to hide internal details of a network when you don't want them exposed. You may not like it if you are wanting to use your company desktop as a P2P node, but I question if you really have a right to do that or if the company has not only a right, but a responsibility to limit what you do inside their network. Security through obscurity is not going to succeed by itself in the long run, but that doesn't mean that you should give potential attackers a roadmap to your network. Hiding implementation details is very useful in slowing attackers, and the methods that attackers use to find these details can frequently be used to identify an intruder. But back to the initial question, does any IPv6 implementation support NAT? I know that the people pushing IPv6 consider NAT evil and want to make it impossible. In terms of the 'need' for NAT, there is no need to use NAT to avoid running out of IP addresses, the smallest network that IPv6 lets you allocate is a /64 which is 4294967296 times larger than the entire Internet today (approximatly 18,446,744,073,709,600,000 IP addresses (1.8e+19) per network minimum) In terms of security, the 'outbound only' nature of NAT for home users is a wonderful default security policy. it doesn't completely protect the machines, but it eliminates a HUGE category of attacks. Yes this policy could be implemented without NAT, but historically it hasn't been. I am also concerned with the fact that with NAT, defeating this policy requires that you explicitly open up each inbound connection (or at the worst, you defeat it for a single server), while without NAT it is very easy to just drop all restrictions and things will work, but be far more open than the person dropping the restrictions realizes. You may not care about exposing your laptop directly tothe Internet (after all, you do so anyway when on the road, so it's already hardened), but when you start to expose your printer, tv, game console..... do you really trust that all of those vendors have hardened their machines to be reasonably safe if exposed directly to the Internet? I also think that if NAT was supported for IPv6 (and especially IPv6 -> IPv4 NAT) it would significantly increase IPv6 adoption as it would allow the migration to IPv6 to happen from the leaf nodes first without needing to do the tunneling setup. right now there is no incentive for anyone to convert their network to IPv6 other than the 'you will need to someday' argument. you have to keep running IPv4 anyway (for clients to talk to servers, for servers to allow clients to talk to you). The experimental setups that are being done all tunnel your traffic through a relativly small number of nodes, which adds latency to your IPv6 connections and would become a bottleneck if IPv6 adoption really took off. if it was possible to run a pure IPv6 network internally and have it NATed to IPv4 at the perimiter (and to then do a similar IPv4 -> IPv6 NAT for inbound connections that you wanted to allow) things would be significantly simpler, and over time that permiter where NAT took place could move from your router to your ISP to the ISPs connection to it's upstream providers to the routers between the ISPs and the servers, and this could happen pretty much transparently to the users. David Lang _______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
