On Mar 30, 2011, at 10:24 AM, Adam Tauno Williams wrote: >> about security. People have come to rely on their IPv4 NAT as a form >> of inbound packet filter. > > Incorrectly, yes. Because they don't know the difference between NAT > and a firewall.
I think plenty of people know the difference between NAT and a firewall. The issue is that if you're in some hacker-hellhole in southeast asia and my server's IP address is "192.168.1.14", and I haven't *specifically* enabled some sort of mapping to allow you to talk to some other address to talk to that server, you're not going to reach my server without a whole mess of people doing something wrong in the middle. At the same time, though, if I want to initiate an outbound connection with my server still having its private-address, my firewall will happily allow me to connect outbound (for software/firmware upgrades, etc.) The "purists" will argue "oh you don't NEED that, all you NEED is a really great firewall setup", or whatever, but the practical reality is that the existing model works pretty darned good for a whole lot of use-cases, and IPv6 seems hell-bent-by-design to break that model. Because (from the outside looking in), it looks like IPv6 was designed by religious zealots with not a lot of practical experience. I'm not saying that's *actually* the case, but IPv6 definitely resembles a "camel" in a lot of respects. Various portions of the protocol seem specifically designed to promote some sort of "we know better than you how you should be running your network" mentality, and often to the detriment of everyone involved. For example, the way the DHCP folks undermined the RA usefulness, and the way the router-minded folks gutted the usefulness of DHCPv6, leaving us with two big piles of stinking offal that are legitimately attractive, as designed, to a very small subset of the people who have to use them. D _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
