On 12/16/2014 11:24 AM, James Knott wrote:
On 12/16/2014 01:52 PM, John Andersen wrote:
On 12/16/2014 09:08 AM, James Knott wrote:
With IPv6 and it's incredible number of public unicast addresses, NAT & STUN are not needed.
Oh yes they are needed.
You think firewalls are going away just because we have lots of address space?
STUN is only PART (a very small part) of the process. Stun just gets addresses of the end firewall of the end points. Thats all it does. It is not a transport.
I thought that is what I was saying in that STUN isn't necessary with public addresses. STUN provides the NAT firewall address, when the devices would normally provide actual addresses. Once the other end has the firewall address, the NAT transversal kicks in and sends the incoming packets to the destination device. Without NAT, the need for STUN disappears. This is completely different from the function of opening a firewall to allow the traffic. You seem to be one of those who confuses NAT with firewall filtering. As I mentioned, NAT is a hack to work around the IPv4 address shortage. It should not be considered a means of security, in that it provides nothing that a properly configured firewall can't in that regard.
NAT IS a means of security. (Your reason for saying it should not be so considered is totally non germane). NAT and firewalls are, for most implementations, one and the same. And in regards to the current discussion, you would STILL have the same problem of traversal with a properly configured network firewall in a pure ipv6 network. You aren't going to get direct inbound connections on any corporate network. IPV6 opens more security issues than most people think. Firewalls are going to be even more important. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org