[CentOS] IPV4 is nearly depleted, are you ready for IPV6?
Les Mikesell
lesmikesell at gmail.com
Tue Dec 7 17:01:35 UTC 2010
On 12/7/10 10:20 AM, Adam Tauno Williams wrote:
>
>>> Some people's belief that NAT is some magic sauce that makes
> themmore
>>> secure [it does not] or provides them more flexibility [it does not]
>>> than real addresses ... causes the people who understand networking to
>>> have to spend time explaining that their love of NAT is misguided and
>>> their beliefs about NAT are bogus.
>> If the ipv6 routers come with defaults that work the same as current NAT
>> routers, people will be able to continue to misunderstand them happily. That is,
>> permit outbound client connections from anything connected behind them without
>> much regard to how many devices there are, and block everything else.
>
> And doesn't that sound like you just describe a firewall?
It sounds like a complex setup for a firewall with dynamic entries to
temporarily pass tcp and upd with different timeouts, where 1->many NAT doesn't
have any other choice. If you don't send outbound you don't get the nat table
entry to forward anything back through it.
> "permit outbound client connections from anything connected behind them
> without much regard to how many devices there are, and block everything
> else" isn't NAT. That's a router/firewall. Happily IPv6 does that
> exactly.
You didn't mention the number of devices - how does that play out when you
exceed the number initially set up?
--
Les Mikesell
lesmikesell at gmail.com
More information about the CentOS
mailing list