On 8 July 2016 at 19:18, Gert Doering <[email protected]> wrote: > Hi, > > On Fri, Jul 08, 2016 at 06:51:21PM +1000, Mark Smith wrote: >> Depending on an experimental RFC for your security sounds like a >> really bad idea to me! > > But NATs are good! I've seen it on youtube, so it must be true! >
That must be why ISPs are deploying carrier grade ones! Actually, I think people advocating ULA+NPT for security are probably assuming NPT is the IPv6 equivalent of IPv4 (stateful) NAPT. It isn't, it's just stateless prefix swapping at the NPT domain boundary. So no hiding of internal hosts' IIDs, internal hosts are going to be reachable with unsolicited packets from outside because it is stateless, and I think it would be common to deploy it with a 1:1 external to internal /64 prefix mapping, so no internal topology hiding either in that case either. ULA+NPT isn't going to be effective if your objective is to protect hosts from unsolicited incoming connections and to hide their unique parts of their IPv6 addresses. Regards, Mark. > gert > > (And yes, it *is* Friday) > -- > have you enabled IPv6 on something today...? > > SpaceNet AG Vorstand: Sebastian v. Bomhard > Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann > D-80807 Muenchen HRB: 136055 (AG Muenchen) > Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
