[CentOS] IPV4 is nearly depleted, are you ready for IPV6?

David Sommerseth dazo at users.sourceforge.net
Mon Dec 6 15:22:24 UTC 2010


On 06/12/10 15:53, Ross Walker wrote:
> On Dec 6, 2010, at 8:37 AM, Adam Tauno Williams <awilliam at whitemice.org> wrote:
> 
>> NO NO NO NO NO NO NO and NO!  (*@!^&*@$ &@*^*&$@  &*@^*&@  How many
>> times does this have to be explained???  NAT *IS* *NOT* a @*(&^*(^@(*@
>> security tool.  It isn't.  Stop saying it is.  You use *firewalls* for
>> security.  Just block ingress traffic and you are just as well off as
>> you are on NAT - and odds are in your NAT configure you are doing that
>> already.  All you do is eliminate the hacks, performance penalty, and
>> interoperability problems created by NAT.  NAT is a *problem*, not a
>> solution for anything other than a deficient network protocol.
> 
> There is no arguing that NAT is not a security tool, but if your
> firewall drops it's pants it's better to have non-routable addresses
> behind it.

Good point.  I'm just thinking out loud.

What if the gateway/router/firewall does not know about the IPv6 network
on the network interface where this "sensitive" IPv6 net is.

And does it really need to be connected to this gateway at all, if it
shouldn't be available to other networks at all?  And if there are some
odd reasons for doing so, what about having this IPv6 subnet in a
separate VLAN without a IPv6 gateway to the rest of the world?


kind regards,

David Sommerseth




More information about the CentOS mailing list