IPv6 and Firewall traversal
Rob Hasselbaum
rob-IdUdaS/NwSyQrzRDRVclEQ at public.gmane.org
Wed Mar 30 11:09:10 EDT 2011
On Wed, Mar 30, 2011 at 10:33 AM, Richard Pieri <Richard.Pieri-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>wrote:
>
> Anyone who relies on NAT for security has almost no network security (see:
> source IP spoofing). NAT is not, and never has been, about security. It
> exists to address the limited address space in IPv4 but it is not formally
> part of IPv4. NAT is, ultimately, a clever hack used to link non-routable
> networks to routable networks.
>
> IPv6 removes this necessity. Thus, no NAT for IPv6. And hopefully there
> never will be. IPv6 has link-local and site-local addressing, which
> eliminates the need for segregating non-routable networks. This is built
> into the specification. For everything else there is SPI.
>
Agreed, NAT is not a required ingredient for an effective firewall. Apples
and oranges. It does, however, provide source obfuscation for individual
machines on a LAN, and there is some value in that. For example, I suspect
if it weren't for NAT, consumers would be paying their ISPs "per-node"
connection fees. If things move in that direction in a mostly-IPv6 world, we
could see a resurgence of NAT.
More information about the Discuss
mailing list