Adam Tauno Williams wrote:
On Mon, 2010-12-06 at 17:15 -0500, Bob McConnell wrote:
So, spending one or two or 100s /64 subnets with public IPv6 addresses which is completely blocked in a firewall will serve exactly the same purpose as a site-local subnet. But this /64 net may get access to the Internet *if* allowed by the firewall. This is not possible with site-local at all. And of course, this is without NAT in addition. I hope this made it a little bit clearer.
Clear as mud. If I understand you correctly, I have to say that IPv6 is broken by design.
It isn't.
I have a double handful of computers on my home network. Each of them needs access to the Internet to get updates to the OS and various applications. However, I do *NOT* want each and every one of them to show up as a unique address outside of my network.
Why? Things will only work better. NAT is not some magic sauce, it is a *HACK*.
With IP4 and m0n0wall running as the NAT, they are all translated to the single IP address that Roadrunner assigned to my Firewall. I need to continue that mapping.
Why? There is no reason. You are wrong, you do *NOT* need to "continue that mapping". That mapping is pointless.
No, it is not pointless. The first step in attacking any computer is finding the IP address. If that address is broadcast outside the firewall every time it talks to another computer, that step is simple. If it is hidden behind a firewall that does NAT, it becomes harder to find and that first step becomes much more difficult.
Currently, the only IP address transmitted outside my firewall is the one assigned to that firewall by the Roadrunner DHCP server. None of the addresses inside are exposed. That is a level of protection I am not prepared to give up. I don't care how much you evangelists blab about the new improved sauce, I still see it as a solution in search of a problem. As far as I am concerned, NAT already solved the address space problem.
Bob McConnell N2SPP