On 03/31/2014 08:34 AM, George, Wes wrote: > > From: Qiong <[email protected] <mailto:[email protected]>> > > > Just a quick question: I think NAT is a quite common function in > firewall, is there some reason that it should not be included in IPv6 > firewall ? > > WG] Because NAT should not be used unless necessary. NAT is often > confused with security (i.e. security by obscurity),
The thing is NAT, directly or indirectly bring: 1) Host/network masquerading 2) Diode-like firewall functionality (only allow communications initiated from the internal network). "2" is really a side affect, though. But the above are certainly interesting from a security pov. (Note: I'm not endorsing the use of NAT, nor suggesting that we should include anything about NATs in this I-D... Just trying to add another perspective). > but we’re really > trying to break that conflation in IPv6 since it is also not necessary > for address preservation and really shouldn’t be used for even 1:1 > address translation since it is possible to add multiple addresses for > hosts, so that they can have addresses for both internal and external > scope, rather than the existing private/public NAT that happens in many > networks today on IPv4. > > So if anything, the document probably needs words to that effect so that > it’s explicitly clear that this is a non requirement. I'll try to craft some text along these lines and post it to the mailing-list for review... Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
