Security
Friday, September 27, 2002NAT v. IPv6
Speaking of IPv6: Revitalizing the Internet Revolution, Brett Morgan saysI some how doubt we will ever see people dispense with NAT firewalls. They are too widely used as an easy way to secure a set of insecure operating systems published by a certain Redmond company. Sadly, this will make true p2p apps a pita to build. Which is why p2p apps should work by publishing xml on a pub-sub model instead of a synchronously connected model. [Brett Morgan'sInsanity WeblogZilla]
I concur with Brett, unless someone can convince me otherwise. NAT fills another need besides addressing the problem of a limited address space: it permits private, non-routable IP networks to connect to the Internet, while ensuring that systems on the Internet can't initiate connections to the private networks. Do you really want your accounting systems to be full peers on the network?
Or, to look at this from a perverted perspective, why assign a routable address to a device if you then place so many barriers between it and other devices that you might as well have not assigned an address to it at all?
NAT doesn't so much break the end-to-end security model as it moves security negotiations to a different layer of the network model.
12:02:22 PM # Google It!
categories: Security, System Administration
