[GRLUG] Regarding NAT and IPv6

Adam Tauno Williams awilliam at whitemice.org
Fri Feb 10 11:51:04 EST 2012


On Fri, 2012-02-10 at 11:37 -0500, megadave wrote:
> <quote>NAT is also a piece of crap as it breaks certain protocols (for
> clear example look at FTP in the early days), and kills the entire
> idea of peer to peer reachability and end to end accountability (ever
> tried to track NAT'd connections through multiple translations at
> multiple sites, pain in the arse).</quote>

+1

> I'd reply at that site, but I dont see how to do so...
> My comment on this would be, "Sometimes that is INTENTIONAL - it is
> the DESIRED result to have an 'internal' network which is not directly
> reachable by external hosts. 

Yes, and that is the purpose of a firewall.  NAT is *NOT* a security
measure.  Block access at the firewall(s), and you have no access.
Using *theoretically* non-routable address spaces accomplishes nothing
[except to make things needlessly complicated]

And the term "directly" doesn't mean anything.  A node is reachable or
it is not reachable; directly, indirectly, upside down, or otherwise.

> And quite frankly, any protocol which was
> developed once NAT became common (so ftp is off the hook) that doesn't
> work with NAT, is ITSELF broken, IMNSHO"

No.  NAT is a horrible hack that just forces everything else to be more
complicated [and thus, amusingly, *less* secure] in order to cope with
the pointlessness that is NAT [it is certainly pointless in an IPv6
world; IPv4 needs it].



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the grlug mailing list