[AusNOG] IPv4 Exhaustion, APNIC EC, and James is a nice bloke ; -)

Charles Wyble charles at thewybles.com
Thu Jul 31 04:16:52 EST 2008


Robert Brockway wrote:
> On Sat, 19 Jul 2008, Steve Baxter wrote:
>
> Kris Price wrote:
>   
>>> NAT != security.
>>>       
>> Yes, but NAT is far better than everything in your house being globally
>> addressable - by anybody !
>>     
>
> Well I have rather expected the solution to that is a firewall.  Just 
> because the addresses are globally routable doesn't mean you have to allow 
> anyone in.  


Yes exactly. Isn't that what people do now? I mean many people use 
public address ranges for web servers
and such even if they are behind a load balancer (say to allow hitting 
individual servers for testing). Doesn't
mean you allow RDP/ssh access etc.

Policy based security is already heavily used and understood. Why should 
it be any different with ipv6?
You should be able to have every device globally routable and have the 
same level of security NAT gives
you.


> I'm actually surprised this is even being raised given that 
> firewalls are already readily available for home use.
>   

As am I.
> NAT was a hack to get around a specific problem. The problem is going to 
> go away and NAT should go away with it.
>   

Very well stated. NAT really really really needs to die. It wreaks havoc 
on things like SIP.

> As for IP fridges and the like, the ability to get dynamic firmware 
> updates has nothing to do with NAT existing on the network or not.  That 
> could be done right now - the fridge is going to be initiating the 
> connection, not the manufacturer as they have no way of knowing where the 
> fridge is (network-wise) before it calls home.  The fridge can easily open 
> a VPN connection home so the manufacturer can push updates over it.  This 
> can occur with or without NAT in IPv4 or IPv6.  

Exactly. Ipv6 really isn't that different or exciting. More address 
space and some features implemented
out of the box that are add ons for Ipv4.
> I expect firmware updates 
> on IP connected appliances will be configurable.  This is consistent with 
> existing devices.
>   

Naturally.

I do not understand the resistance to ipv6, or the "OMG we will all be 
hax0red and our devices 0wn3d when NAT goes away".  
Many enterprises (especially in the US) have large swaths of publicly 
routable address space and mitigate risk with
policy based security.


-- 
Charles Wyble (818) 280 - 7059
http://charlesnw.blogspot.com
CTO Known Element Enterprises / SoCal WiFI project




More information about the AusNOG mailing list