[Novalug] [Ma-linux] IPV6 Questions
Gregory Maxwell
gmaxwell at gmail.com
Tue Jul 22 15:58:47 EDT 2008
On Tue, Jul 22, 2008 at 3:51 PM, Joseph S D Yao <jsdy at tux.org> wrote:
[snip]
> Yes, the IPv6 folks abhor NAT and hope that it will go away so that
> computers can talk to each other directly. But that takes away all the
> advantages of being able to monitor network aggregation points for bad
> things happening - attacks, malware, spam, etc.
ERRK! Bad information!
Just because you're not using 'NAT' *does not* mean that you can't do
stateful protocol inspection and connection tracking just like natting
firewall perform. You can and doing so will get you the same
*security* properties as NAT gets you. Those kinds of activities
still breaks end-to-endness, but nowhere near as badly as NAT does,
just doing connection tracking and not address translation also avoid
the mess and confusion of having overlapping private addresses.
The removal of NAT will have very few security implications. The only
downside is that removing nat removes a bit of topology hiding, though
since v6 lans should be fairly uniformly sized there isn't as much
topology to hide. On the positive side, eliminating address
translation will remove a lot of sources of complexity and probably
make it easier to secure networks.
More information about the Novalug
mailing list