Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[rpd] Report of the Soft Landing isuue

Noah noah at neo.co.tz
Thu Apr 20 18:40:56 UTC 2017


Owen

+1 I am in agreement....

Noah

On 20 Apr 2017 9:32 p.m., "Owen DeLong" <owen at delong.com> wrote:


On Apr 7, 2017, at 09:50 , Noah <noah at neo.co.tz> wrote:



On 7 Apr 2017 7:36 p.m., "Willy MANGA" <willy.manga at auf.org> wrote:

Hello Alain,
my intention was not to insult IPv4 fans .

I put on the other hand all the amazing work AFRINIC training team is
doing and I am sometimes disapointed when I see no v6 traffic after one
year from many sites especially universities. They should not be
concerned by v4 stuff in my humble opinion ..



Most believe NAT protects them while IPv6 exposes them (so they are
reluctant to deploy IPv6 at a client level) and you wonder why they still
pay for anti-virus software for their clients that seat behind NAT.


I would like to sell a certain famous New York bridge to anyone who
believes that NAT offers protection.

Stateful inspection offers protection (to some limited extent).
You cannot unmangle packet headers without Stateful inspection, so if you
have NAT (of the form perceived as protection), you have stateful
inspection.
Unfortunately, we have an entire generation of network and systems people
who grew up assuming that NAT was a normal condition rather than the
disease that it represents. Many of them were never taught about stateful
inspection or the difference between or separation of stateful inspection
from NAT and take for granted that they are one and the same. This simply
isn’t accurate.

A public IPv4 or IPv6 address behind a stateful inspection firewall has
exactly the same risks and safety as a translated (AKA private) address
behind a stateful inspection coned NAT. A 1:1 stateless NAT offers exactly
the same protections as a public address without a NAT (i.e. none
whatsoever).

In fact, IPv4/NAT as currently widely deployed is harmful to security in
that it not only offers no protection, but it obfuscates and complicates
the process of identifying abusers and auditing activity on the network.

AFRINIC IPv6 trainings need to debunk the belief that IPv4/NAT offers some
sort of security to clients at the LAN level while delivering their
trainings to most of this network/systems engineers.


At least to the extent that I have observed said training and in my
discussions with Tamon, I believe this already occurs. If you believe it
does not, I suggest you discuss directly with Tamon.

Owen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20170420/87475d32/attachment-0001.html>


More information about the RPD mailing list