Subj : NAT
To   : Victor Sudakov
From : Markus Reschke
Date : Sat Jan 26 2019 12:12:38

Hello Victor!

Jan 25 23:46 2019, Victor Sudakov wrote to All:

 VS> With the proliferation of IPv6 I hear more and more often that NAT is 
 VS> a great security mechanism because it hides your intranet 
 VS> infrastructure from outsiders,

There's a lot of misunderstanding of NAT and security. The typical case is that NAT is done by a dedicated firewall or a router with firewall features, i.e. the firewall/router does packet filtering and NAT. So a lot of people think that NAT implies security, but it doesn't. NAT is exactly what the acronym says: network address translation. An 1:1 NAT simply translates one address or subnet to another. How could that provide any security? What you need is packet filtering (plus proxies and so on). 

 VS> infrastructure from outsiders, and how unfit IPv6 is for enterprise       
 VS> networks because it lacks the notion of NAT which makes IPv6 networks     
 VS> so very very much insecure.

There's also NAT for IPv6. BTW, IPv6 has a nice feature called Privacy Extensions to automatically change IP addresses regularly. 

ciao,
Markus

--- 
 * Origin: *** theca tabellaria *** (2:240/1661)

.