Mailinglist Archive: opensuse (1777 mails)

< Previous Next >
Re: [opensuse] Moving to IPv6
  • From: Adam Tauno Williams <awilliam@xxxxxxxxxxxxx>
  • Date: Thu, 09 Sep 2010 13:57:05 -0400
  • Message-id: <1284055025.3942.56.camel@xxxxxxxxxxxxxxx>
On Thu, 2010-09-09 at 13:43 -0400, John E. Perry wrote:
On 09/08/2010 05:33 PM, Adam Tauno Williams wrote:
Golly - NAT IS NOT A SECURITY MEASURE! How many times does that have to
be said to sink in?
So what? I've never run across a router that wasn't also a pretty decent
firewall. My present Netgear Wifi router makes me invisible to the
public Internet, and that's the way I like it. Using WPA/PSK makes me
close enough to safe from wardrivers for my purposes.
Yeah, if I stored a lot of critical information on my wife's Windows
computers, and if I were important enough or rich enough to make it
worth some crook's while to attack me, I could see the need for more.
Desirable perhaps, but not practical.
Why? Firewalls are cheap and abundant. It is extremely practical and
[I hope] common practice. It is legally required in many circumstances.
So what? I don't want to have to maintain separate external firewalls for

Eh? Who said to do that? You operate a firewall on your router, just
like you operate your NAT, only it is just a firewall'd router [not a
firewall router and a bunch of NAT hacks].

Internet<---->(IPv6 firewall/router)<--->(IPv6 network)

instead of

Internet<---->(IPv6 firewall/router+NAT)<--->(IPv6 network)

That's it. It is categorically simpler. Firewall blocks all incoming
connections - Done. Which is essentially what people on this list
_believe_ NAT is doing currently.

I was really worried about IPv6 when this topic came up a few months
ago, thinking it would make it much harder for me to maintain what I
have now.

It won't, it will be much easier.

But the (restricted address?) feature, that makes it possible
for me to keep an internal local network, still invisible to the outside
world, relieved my apprehensions in that respect.

True, and with IPv6 it is much simpler to have multiple addresses and
subnets on an interface.

Breaking some protocols, true, ftp is something that was broken from the
start

Why? Nothing is broken about FTP. NAT breaks it. Don't claim a
protocol is broken because it breaks when used with a hack. By that
logic Open Office is "broken" because MS-Word can't open an ODT file.

NAT is just a pain, and a pointless one.
For you, maybe, as a professional systems administrator. For me, as a
simple-minded home user, it's a blessing

Why on earth do you believe that? NAT isn't doing *anything* but
hacking around an IPv4 limitation. Operationally under IPv6 you only
have a simpler network - and just as much privacy.

. And only the (restricted
address?) feature saves me from major problems when I have to go to IPv6.

I don't see how, but OK.

I'm now pretty much neutral as to when v6 happens for me. But this
silliness of IPv4 NAT being a Bad Thing for everyone irritates me.

It is a bad thing, FACT, full-stop. Because a breakage [limitation]
doesn't apply to you doesn't make it "contrived", "bogus", "false", or
anything else. Firewalls good, NAT bad. It seems a *lot* of people are
very much confusing the functionality of a router, a firewall, and NAT.
A firewall is what protects you - not NAT.

<http://www.cs.utk.edu/~moore/what-nats-break.html>
<http://www.faqs.org/rfcs/rfc1627.html>

It is a necessary evil now, it will be a better network when it is gone.

My
router with dhcp makes NAT and firewalling Just Work for me and mine.
You want v6; fine. I'll have to go to it soon; fine.
--that is, now that I'm pretty sure v6 won't impose a huge new workload
on my home networking arrangement.


--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
This Thread