= Сообщение: 5817 из 7402 ============================================= IPV6 = От : Victor Sudakov 2:5005/49 26 Jan 19 21:49:42 Кому : Markus Reschke 26 Jan 19 21:49:42 Тема : NAT FGHI : area://IPV6?msgid=2:5005/49+5c4c7389 На : area://IPV6?msgid=2:240/1661+5c4220cb = Кодировка сообщения определена как: CP866 ================================== Ответ: area://IPV6?msgid=2:240/1661+5c4220cc ============================================================================== Dear Markus,
26 Jan 19 12:12, you wrote to me:
VS>> With the proliferation of IPv6 I hear more and more often that VS>> NAT is a great security mechanism because it hides your intranet VS>> infrastructure from outsiders,
MR> There's a lot of misunderstanding of NAT and security. The typical MR> case is that NAT is done by a dedicated firewall or a router with MR> firewall features, i.e. the firewall/router does packet filtering and MR> NAT. So a lot of people think that NAT implies security, but it MR> doesn't.
The security guidelines I have read don't specify "NAT must be used." They specify "RFC1918 addresses must be used in the internal network."
MR> NAT is exactly what the acronym says: network address MR> translation. An 1:1 NAT simply translates one address or subnet to MR> another. How could that provide any security?
A static NAT has limited usage and indeed does not provide much additional security. But the dynamic NAT and especially PAT provide a very important security feature no packet filter provides: they *hide* the *source* *addresses* of internal hosts thus effectively hiding the network structure from outsiders.
MR> What you need is packet MR> filtering (plus proxies and so on).
Yes, a proxy would do the same hiding as a dynamic NAT.
VS>> infrastructure from outsiders, and how unfit IPv6 is for VS>> enterprise networks because it lacks the notion of NAT VS>> which makes IPv6 networks so very very much insecure.
MR> There's also NAT for IPv6.
Never heard of that, other than DNS64/NAT64 which are for a different purpose.
MR> BTW, IPv6 has a nice feature called Privacy MR> Extensions to automatically change IP addresses regularly.
Yes, with Privacy Extensions it becomes more difficult to map a single host, but all your /64 internal networks are still mappable. For example, by analyzing browsing behaviour, you can easily guess which /64 in your company is for engineering staff and which is for the management.