ietf
[Top] [All Lists]

Re: myth of the great transition (was US Defense Department forma lly adopts IPv6)

2003-06-18 23:40:01
If you need a secure zone, and you want a firewall, then should install a firewall. You should not put an NAT thinking that it is also a firewall.

But I agree with you that NAT is here to stay.

-James Seng

Fleischman, Eric wrote:
Eric Rescorla [mailto:ekr(_at_)rtfm(_dot_)com] wrote:


similarly, people who install NAT usually don't realize how much this
costs them in lost functionality and reliability.


Really? You have evidence of this?


I don't either, but my intuition is that you're wrong.  Once you have
decided to have a firewall in place (which you may think is evil, but
I consider pretty much a necessary evil), I suspect that most people
suffer almost not at all from having a NAT.


I believe that Eric is pointing out an important point: many deployments of NATs have nothing to do with IPv4 address conservation. Rather, they are firewall adjuncts implemented to hide internal networks from outside scrutiny and direct access.
One point where I disagree with my IPv6-advocating friends is that I expect firewall-related NATs 
to continue to be deployed within Internet (including IPv6) environments until such a time as 
real-time-protocol and peer-to-peer-protocol friendly "distributed firewall" (policy 
zones) variants become the preferable "due diligence" alternative for CIOs.








<Prev in Thread] Current Thread [Next in Thread>