On Tue, 20 Apr 2010, Robert Brockway wrote: > On Tue, 20 Apr 2010, Edward Ned Harvey wrote: > > Hi Edward. > >> No, NAT will not be necessary or useful anymore in IPv6 for the sake of >> creating address space. Yes, NAT could be useful to mask your internal >> network topology from the wild world web. If you do implement NAT to mask > > Does it though? > > To me "network topology" refers to how the subnets relate to one another - > not the actual IP addresses used. If someone can see an internal address > on my network they can't tell where in my network it is.
but they can tell that it is a real target to go after and not waste their time going after non-existant targets (which would have the side effect of making their attack more visible to you) > Various sorts of probing can be used to derive the topology to an > accessible IP address but methods to limit or prevent these probes are > well understood. > > I'll tell you what does expose internal network topologies - SMTP headers > and that happens right now whether NAT is in use or not. Any other > application which records its path through the network in the application > headers is similarly exposing network topology. this is why some companies have their mail server strip off the internal headers before relaying it to the outside. > For the record this is my take on NAT in IPv6. I've presented this > argument a number of times in recent years. > > An entire generation of sysadmins have grown up thinking of NAT as an > integral part of networking. As a result some sites will use many:one NAT > or one:one NAT and some won't. > > Eventually it will become evidence that NAT offers no appreciable benefits > but costs real money to maintain. Usage will fade away over a number of > years. I expect CFOs and sysadmins will be in agreement that it has to > go. I agree that in many cases NAT is used inappropriatly, but until IP address space really is allocated to the end user (or company) rather than the ISP, some of these arguments will remain as valid (or invalid) as they are today (specificly the argument that it's easier to change ISPs if you use NAT than if you use real IP addresses on your servers) >> (4) There's no reason IPv4 needs to die. In all likelihood, devices which > > I predict IPv4 will only exist in isolated pockets by about 2020. The > reason is the same one as above. Maintaining dual stack systems requires > additional resources (money). Apps will need to support it, testing/QA > will need to occur, etc. Companies will monitor the proporation of users > accessing their systems over IPv4 or IPv6. As long as dual stack client > machines try IPv6 first the proportion of IPv4 will steadily reduce. > > Eventually it will hit a point when it is no longer cost effective for > companies to support IPv4. While we may argue about whether my predicted > timeframe is accurate I think the general trend must hold true. before you can have a trend like this you need to have IPv6 connectivity in the first place. Right now that is a chicken and egg situation, nobody is offering it because nobody would use it and nobody is trying to use it because nobody is offering it. David Lang _______________________________________________ Discuss mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
