Thus wrote Roger Marquis ([email protected]):
> _Also_? Some? Really? I don't mean to question Margaret's experience
> but I have to wonder what this statement is based on. Most of us
> security professionals use NAT to block _all_ incoming connections
> _by_default_. This is known as fail-closed.
I use firewall rules for that. :)
Given that your NAT device is likely your firewall, why do you trust
your co-admins not to accidentially change N:1 NAT if you don't trust
them to keep the incoming block around?
I don't think N:1 NAT is in the long-term best interest of enterprises,
even if it will likely take about as long to un-learn NAPT as it took
to learn CIDR. Privacy is a concern, but newer Windows machines seem
to do privacy addressing with great abandon, and other current OSes
at least use them if told.
I don't see much point in trying to prevent people from using whatever
they want now, though, as long as it has no immediate impact on
third parties; standard practise will change by itself when the
advantages are apparent. Same holds true for NAT at all and potential
better solutions, btw.
regards,
spz
--
[email protected] (S.P.Zeidler)
_______________________________________________
nat66 mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/nat66
