On 12/16/2014 02:32 PM, John Andersen wrote:
NAT IS a means of security. (Your reason for saying it should not be so considered is totally non germane). NAT and firewalls are, for most implementations, one and the same.
Please explain what security NAT provides beyond what's capable with a properly configured firewall. NAT is only used due to the lack of addresses. If we had sufficient addresses on IPv4, so that everyone could get a reasonable number of addresses, then the need for NAT would disappear.
And in regards to the current discussion, you would STILL have the same problem of traversal with a properly configured network firewall in a pure ipv6 network. You aren't going to get direct inbound connections on any corporate network.
NAT transversal is not the same issue as passing through a firewall. However, that NAT transversal is what requires use of hacks such as STUN and TURN. So, with NAT, you need not only transversal, but still some means of allowing the desired traffic through.
IPV6 opens more security issues than most people think. Firewalls are going to be even more important.
The exact same filters used on IPv4 are also available on IPv6, so as far as protocols being open, the situation is the same. IPv6 also properly supports multiple addresses and routes better than IPv4 and that's something that has to be considered. On the other hand, consumer grade routers generally come configured to block everything, with exceptions then being configured to allow desired protocols through. This is no different on IPv6 or a non-NAT IPv4 firewall. On commercial grade routers from Cisco etc., firewall functions must be specifically enabled. But again you start with a block everything access list and then start adding exceptions. On Cisco, a block everything access list can be created simply by creating the access list with nothing more than a remark line in it and then applying it to the incoming side of the port connected to the Internet. This will then create a deny all firewall, as all access lists have an implicit deny all at the end. You now have a firewall that's every bit as effective as NAT at blocking incoming connections. If you're running both IPv4 and IPv6, you create an access list for each. So, it's not terribly complicated. Also, IPSec originated as part of the IPv6 spec, so is fully supported on it. Another security or rather privacy feature is random number based IPv6 addresses, which mean you can no longer match an address with a specific device. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org