On Thu, Jan 22, 2004 at 03:38:38PM -0500, Brian Weaver <[EMAIL PROTECTED]> wrote: > I prefer to look at NAT as not delegating an entire set of machine as > second class citizens. Instead I tend to think of the machines behind > NAT/Firewall as children not yet battle hardened enough to handle the > real world. A prime example is my wife's Windows box. It just isn't > ready for all the bullies on the net. Anti-Virus software is like using > tissue paper for a bullet proof vest. If the bullets a dud you are all > right, if not then pray for a poor marksman. > > NAT is no excuse for poor internal security, but it does allow a certian > amount of flexibity and breathing room on internal systems. Think of it > as a gated community. Only a truely skilled and determined thug can get > in to bang on your door (unless you've left the gate open of course).
There's one point that seems to be lost in this discussion. You can still do NAT with IPv6. You can also use a proper firewall and get the security you're speaking about, without NAT. At the same time, you'd be able to have several VoIP phones, PDAs, intelligent devices which could each be accessed by their individual addresses, rather than multiplexed through one IP as most homes are currently. So, an argument against IPv6 by defending NAT misses the point. IPv6 allows NAT _or_ individually routable addresses. How could this possibly be worse? David -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
