<div dir="auto">Owen<div dir="auto"><br></div><div dir="auto">+1 I am in agreement....</div><div dir="auto"><br></div><div dir="auto">Noah</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 20 Apr 2017 9:32 p.m., "Owen DeLong" <<a href="mailto:owen@delong.com">owen@delong.com</a>> wrote:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><br><div><div class="quoted-text"><blockquote type="cite"><div>On Apr 7, 2017, at 09:50 , Noah <<a href="mailto:noah@neo.co.tz" target="_blank">noah@neo.co.tz</a>> wrote:</div><br class="m_5236845711598516043Apple-interchange-newline"><div><div dir="auto"><div><br><div class="gmail_extra"><br><div class="gmail_quote">On 7 Apr 2017 7:36 p.m., "Willy MANGA" <<a href="mailto:willy.manga@auf.org" target="_blank">willy.manga@auf.org</a>> wrote:<br type="attribution"><blockquote class="m_5236845711598516043quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello Alain,<br>
my intention was not to insult IPv4 fans .<br>
<br>
I put on the other hand all the amazing work AFRINIC training team is<br>
doing and I am sometimes disapointed when I see no v6 traffic after one<br>
year from many sites especially universities. They should not be<br>
concerned by v4 stuff in my humble opinion ..</blockquote></div></div></div><div dir="auto"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="m_5236845711598516043quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="m_5236845711598516043elided-text"><br></div></blockquote></div></div></div><div dir="auto"><br></div><div dir="auto">Most believe NAT protects them while IPv6 exposes them (so they are reluctant to deploy IPv6 at a client level) and you wonder why they still pay for anti-virus software for their clients that seat behind NAT.</div></div></div></blockquote><div><br></div></div>I would like to sell a certain famous New York bridge to anyone who believes that NAT offers protection.</div><div><br></div><div>Stateful inspection offers protection (to some limited extent).</div><div>You cannot unmangle packet headers without Stateful inspection, so if you have NAT (of the form perceived as protection), you have stateful inspection.</div><div>Unfortunately, we have an entire generation of network and systems people who grew up assuming that NAT was a normal condition rather than the disease that it represents. Many of them were never taught about stateful inspection or the difference between or separation of stateful inspection from NAT and take for granted that they are one and the same. This simply isn’t accurate.</div><div><br></div><div>A public IPv4 or IPv6 address behind a stateful inspection firewall has exactly the same risks and safety as a translated (AKA private) address behind a stateful inspection coned NAT. A 1:1 stateless NAT offers exactly the same protections as a public address without a NAT (i.e. none whatsoever).</div><div><br></div><div>In fact, IPv4/NAT as currently widely deployed is harmful to security in that it not only offers no protection, but it obfuscates and complicates the process of identifying abusers and auditing activity on the network.</div><div><br></div><div><div class="quoted-text"><blockquote type="cite"><div><div dir="auto"><div dir="auto">AFRINIC IPv6 trainings need to debunk the belief that IPv4/NAT offers some sort of security to clients at the LAN level while delivering their trainings to most of this network/systems engineers.</div></div></div></blockquote><div><br></div></div>At least to the extent that I have observed said training and in my discussions with Tamon, I believe this already occurs. If you believe it does not, I suggest you discuss directly with Tamon.</div><font color="#888888"><div><br></div><div>Owen</div><div><br></div></font></div></blockquote></div><br></div>