Re: The Devil's in the Deployment RE: NATs as firewalls

[Douglas Otis <dotis at mail-abuse.org>]

On Mar 4, 2007, at 11:11 AM, Brian E Carpenter wrote:

> But irrelevant - the problems that NAT causes, and that having  
> sufficient address space (a.k.a. IPv6) solves, are orthogonal to  
> security. That is the whole point in this thread.

Of course stateful firewalls and NATs offer protection, whether for  
IPv4 or IPv6.  Most notable concerns are in regard to routing both  
IPv6 & IPv4.  Accommodating IPv6 likely require a sizable investment,  
with the effect of diminishing the value of an IP address.  Will this  
mean network behavior might then run amok?

Reducing the value of the IP address will impact security, as many  
protocols depend upon IP address ACLs and black-hole lists.  Being  
unable to readily track IPv6 address space will likely introduce an  
era where public acceptance of messaging adopts CA certificates over  
the use of IP addresses.  This practical necessity improves security,  
but also at a cost.

-Doug




_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf