RE: stable addressing

[Pekka Savola <pekkas@netcore.fi>]

On Mon, 19 Apr 2004, Fleischman, Eric wrote:
> On the other hand, in support of your posting, we also don't want
> outsiders to know about our internal networks. We currently plan to
> handle this by deploying NATs for IPv6, such as we currently do for
> IPv4 (i.e., like many other Fortune 100 companies, we use NATs for
> security, not for addresses). 

Why don't you just deploy proxy servers at the edge of your network?  
It allows you to talk to the outside using local addresses, while 
disguising the internal topology as only the proxy servers' addresses 
are known?

Much better than deploying v6 NAT.

> While I doubt if our security people
> are willing to discard the use of NATs as a security mechanism,
> perhaps a heavy dose of the logic found within your posting below
> would cure them of that position (but I somehow doubt it)?

What "security" is that, pray?

Not being able to make out internal topology from the v6 addressing 
plan?  Using Proxies fix that.

Not being able to initiate connections to the internal network e.g. 
for mapping the network?  Using a default-deny-incoming stateful 
firewall/ACLs at the border fixes that.

The security benefits of NATs are mostly misguided, which you're 
probably aware of?

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings