[CentOS] IPV4 is nearly depleted, are you ready for IPV6?

Les Mikesell lesmikesell at gmail.com
Tue Dec 7 17:01:35 UTC 2010


On 12/7/10 10:20 AM, Adam Tauno Williams wrote:
>
>>> Some people's belief that NAT is some magic sauce that makes
> themmore
>>> secure [it does not] or provides them more flexibility [it does not]
>>> than real addresses ... causes the people who understand networking to
>>> have to spend time explaining that their love of NAT is misguided and
>>> their beliefs about NAT are bogus.
>> If the ipv6 routers come with defaults that work the same as current NAT
>> routers, people will be able to continue to misunderstand them happily. That is,
>> permit outbound client connections from anything connected behind them without
>> much regard to how many devices there are, and block everything else.
>
> And doesn't that sound like you just describe a firewall?

It sounds like a complex setup for a firewall with dynamic entries to 
temporarily pass tcp and upd with different timeouts, where  1->many NAT doesn't 
have any other choice.  If you don't send outbound you don't get the nat table 
entry to forward anything back through it.

> "permit outbound client connections from anything connected behind them
> without  much regard to how many devices there are, and block everything
> else" isn't NAT.  That's a router/firewall.  Happily IPv6 does that
> exactly.

You didn't mention the number of devices - how does that play out when you 
exceed the number initially set up?

-- 
   Les Mikesell
    lesmikesell at gmail.com




More information about the CentOS mailing list