[6bone] Re: Is minimum allocation /64 now?

Matt.Carpenter@alticor.com Matt.Carpenter@alticor.com
Tue, 28 Oct 2003 10:19:20 -0500





I concede that there is some security in NAT, simply because it helps to
protect those endusers who don't do anything to secure themselves.
However, there is no security in NAT beyond that which a firewall provides.
Simple firewall rulesets are amazingly simple and can be "defaulted" to
provide out-of-the-box protection as seen in NAT routers today.

ISP's charge for extra IP Addresses because they can.  It is valuable,
almost like real-estate.  One key purpose of IPv6 is to lessen the cost of
IP addresses through making them plentiful commodities.
Thinking of a single IP with NAT as an added value over many IP's has some
serious repercussions on other aspects of the Internet where logic reigns.

> "Many ISP's charge for extra ip addresses, and they dont do it just
because
> they have to type in 3 commands on their router. NAT gives a certain
ammount
> of security for end-users."
>
> 1 user, not 1 endsite, not 1 ptp tunnel.
> If it where a "enduser product" there would be going
> a /48 to that enduser.
>
> That simply is requiring the user to NAT and not giving
> them full internet access. NAT as 'security' is bullshit
> If you want to give them 'security' then offer a standard
> firewalling service like many ISP's do. And of course if
> you do offer it also offer the option to turn it off for
> the clued people.
>