[TriLUG] Adding to the list of topics: IPv6

rasch at raschnet.com rasch at raschnet.com
Thu Jan 22 15:42:08 EST 2004


On Thu, Jan 22, 2004 at 03:38:38PM -0500, Brian Weaver <weave at oculan.com> wrote:
> I prefer to look at NAT as not delegating an entire set of machine as 
> second class citizens. Instead I tend to think of the machines behind 
> NAT/Firewall as children not yet battle hardened enough to handle the 
> real world. A prime example is my wife's Windows box. It just isn't 
> ready for all the bullies on the net. Anti-Virus software is like using 
> tissue paper for a bullet proof vest. If the bullets a dud you are all 
> right, if not then pray for a poor marksman.
> 
> NAT is no excuse for poor internal security, but it does allow a certian 
> amount of flexibity and breathing room on internal systems. Think of it 
> as a gated community. Only a truely skilled and determined thug can get 
> in to bang on your door (unless you've left the gate open of course).

There's one point that seems to be lost in this discussion.  You can
still do NAT with IPv6.  You can also use a proper firewall and get the
security you're speaking about, without NAT.  At the same time, you'd be
able to have several VoIP phones, PDAs, intelligent devices which could
each be accessed by their individual addresses, rather than multiplexed
through one IP as most homes are currently.  So, an argument against
IPv6 by defending NAT misses the point.  IPv6 allows NAT _or_
individually routable addresses.  How could this possibly be worse?

David



More information about the TriLUG mailing list