On 06/12/10 15:53, Ross Walker wrote:
On Dec 6, 2010, at 8:37 AM, Adam Tauno Williams awilliam@whitemice.org wrote:
NO NO NO NO NO NO NO and NO! (*@!^&*@$ &@*^*&$@ &*@^*&@ How many times does this have to be explained??? NAT *IS* *NOT* a @*(&^*(^@(*@ security tool. It isn't. Stop saying it is. You use *firewalls* for security. Just block ingress traffic and you are just as well off as you are on NAT - and odds are in your NAT configure you are doing that already. All you do is eliminate the hacks, performance penalty, and interoperability problems created by NAT. NAT is a *problem*, not a solution for anything other than a deficient network protocol.
There is no arguing that NAT is not a security tool, but if your firewall drops it's pants it's better to have non-routable addresses behind it.
Good point. I'm just thinking out loud.
What if the gateway/router/firewall does not know about the IPv6 network on the network interface where this "sensitive" IPv6 net is.
And does it really need to be connected to this gateway at all, if it shouldn't be available to other networks at all? And if there are some odd reasons for doing so, what about having this IPv6 subnet in a separate VLAN without a IPv6 gateway to the rest of the world?
kind regards,
David Sommerseth