Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-histori

On Monday, July 02, 2007 07:01:28 AM -0700 "Hallam-Baker, Phillip" 
<pbaker(_at_)verisign(_dot_)com> wrote:
> And from a security point I want to see as much NAT as possible.
Whereas I want my applications to work, and people to stop conflating NAT 
and firewalls.
You don't want to see as much NAT as possible; you want to see as much 
blocking of inbound connections to consumers as possible, and for some 
reason you seem to think that a firewall which does that must necessarily 
also be a NAT.  In fact, it does not; it's perfectly reasonable to build a 
box that can be sold for <$50 which sits between a subscriber's computer 
and the Internet and provides a basic firewall.  Such a thing could be 
combined in the same box as an ethernet switch, wireless AP, maybe a basic 
router, DNS cache, and so on.  In fact, plenty of such boxes are sold 
today, except they all come with NAT turned on by default.
That is _not_ because NAT makes the network more secure - it doesn't.
It's because most of the people buying those boxes "need" NAT because their 
ISP's won't give them more than one address, or at least won't do so for a 
reasonable price.  Fix _that_ problem, and you'll start seeing boxes that 
provide security and flexibility without needing NAT.

Frankly, Phill, I'm surprised and disappointed that you are not only making 
such a basic mistake, but spreading FUD about it.
-- Jeff

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf