On Thu, Apr 17, 2014 at 11:45 PM, George Herbert <george.herb...@gmail.com>wrote:
> > > > On Thu, Apr 17, 2014 at 11:32 AM, Eugeniu Patrascu <eu...@imacandi.net>wrote: > >> ... >> It's a bigger risk to think that NAT somehow magically protects you >> against >> stuff on the Internet. >> Also, if your problem is that someone can screw up firewalls rules, then >> you have bigger issue in your organization than IPv6. > > > >> There's a fair argument to be made which says that kind of NAT is >> > unhealthy. If its proponents are correct, they'll win that argument >> > later on with NAT-incompatible technology that enterprises want. After >> > all, enterprise security folk didn't want the Internet in the >> > corporate network at all, but having a web browser on every desk is >> > just too darn useful. Where they won't win that argument is in the >> > stretch of maximum risk for the enterprise security folk. >> > >> > >> Any technology has associated risks, it's a matter of how you >> reduce/mitigate them. >> This paranoia thingie about IPv6 is getting a bit old. >> Just because you don't (seem to) understand how it works, it doesn't mean >> no one else should use it. > > > > You are missing the point. > > Granted, anyone who is IPv6 aware doing a green-field enterprise firewall > design today should probably choose another way than NAT. > > That's why you have gazzilions of IP addresses in IPv6, so you don't need to NAT anything (among other things). I don't understand why people cling to NAT stuff when you can just route. > What you are failing is that "redesign firewall rules and approach from > scratch along with the IPv6 implementation" usually is not the chosen path, > versus "re-implement the same v4 firewall rules and technologies in IPv6 > for the IPv6 implementation", because all the IPv6 aware net admins are > having too much to do dealing with all the other conversion issues, vendor > readiness all across the stack, etc. > > You treat IPv6 like the only protocol running and design the implementation taking that into consideration. Where necessary you publish AAAA records and so only devices/services that are IPv6 aware will be accessed over IPv6, all others can stay on IPv4 until they are migrated. It works wonderful. This idea of matching IPv4 1:1 to IPv6 is not the way to go. > Variations on this theme are part of why it's 2014 and IPv6 hasn't already > taken over the world. The more rabid IPv6 proponents have in fact shot the > transition in the legs repeatedly, and those of us who have been on the > front lines would like you all to please shut up and get out of the way so > we can actually finish effecting v6 deployment and move on to mopping up > things like NAT later. > I don't get this paragraph. From my perspective, if you want IPv6 you can do it. From all the organizations I get in contact and ask about IPv6 is the lack of knowledge and interest that puts a stop to the deployment, nothing else. Eugeniu
