Search RPD Archives
[rpd] Report of the Soft Landing isuue
Noah
noah at neo.co.tz
Fri Apr 7 18:43:59 UTC 2017
Hi Joe
+1 I wouldnt agree more...
On 7 Apr 2017 8:15 p.m., "Joe Abley" <jabley at hopcount.ca> wrote:
>
> On 7 Apr 2017, at 12:50, Noah <noah at neo.co.tz> wrote:
>
> > Most believe NAT protects them while IPv6 exposes them (so they are
> reluctant to deploy IPv6 at a client level) and you wonder why they still
> pay for anti-virus software for their clients that seat behind NAT.
> >
> > AFRINIC IPv6 trainings need to debunk the belief that IPv4/NAT offers
> some sort of security to clients at the LAN level while delivering their
> trainings to most of this network/systems engineers.
>
> It's important to speak the same language as your audience if you want to
> communicate.
>
> To protocol purists, of which there are surely many here, NAT is simply a
> mechanism for address translation. It can be unidirectional or
> bidirectional, dynamic or static, and its primary purpose to join
> addressing domains, not to block packets.
>
> To people working in your average IT department, NAT means a bundle of
> (something like):
>
> - allow outbound connections from the inside to the Internet
> - allow very particular inbound connections to particular addresses and
> ports from the Internet, and map them to particular inside servers, and
> block everything else
> - translate between the Internet and the internal addressing scheme
>
> To the purist this looks like a firewall that provides access control, for
> which NAT is just a necessary evil on the last line because of IPv4 address
> scarcity. When you implement that in an IPv6 world you don't need the NAT.
> But to the IT manager it's just "NAT", and when the IT manager hears "you
> don't use NAT with IPv6" what they think you're saying is "IPv6 doesn't
> support firewalls".
>
> We need a better common vocabulary for all of this. But in the mean time I
> think it's worth bearing in mind that calling an IPv6 firewall between an
> enterprise network and the Internet a "NAT" is in some cases more likely to
> result in understanding than insisting that no NAT is required.
>
> Sometimes we should ask ourselves whether it's more important to be right
> than to make progress.
>
>
> Joe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20170407/6c326ae7/attachment.html>
More information about the RPD
mailing list