Not to take issue with either statement in particular, but I think there
needs to be some consideration of what "fail" means.
Fail means that an inexperienced admin drops a router in place of the
firewall to work around a priority problem while the senior engineer
is on vacation. With NAT protecting unroutable addresses, that failure
mode fails closed.
In addition to fail-closed NAT also means:
* search engines and and connectivity providers cannot (easily)
differentiate and/or monitor your internal hosts, and
* multiple routes do not have to be announced or otherwise accommodated
by internal re-addressing.
Not to take issue with either statement in particular, but I think there
needs to be some consideration of what "fail" means.
Fail means that an inexperienced admin drops a router in place of the
firewall to work around a priority problem while the senior engineer
is on vacation. With NAT protecting unroutable addresses, that failure
mode fails closed.
In addition to fail-closed NAT also means:
* search engines and and connectivity providers cannot (easily)
differentiate and/or monitor your internal hosts, and
Right, because nobody has figured out Javascript and Cookies.
* multiple routes do not have to be announced or otherwise accommodated
by internal re-addressing.
I fail to see how NAT even affects this in a properly structured network.
Not to take issue with either statement in particular, but I think there
needs to be some consideration of what "fail" means.
Fail means that an inexperienced admin drops a router in place of the
firewall to work around a priority problem while the senior engineer
is on vacation. With NAT protecting unroutable addresses, that failure
mode fails closed.
In addition to fail-closed NAT also means:
* search engines and and connectivity providers cannot (easily)
differentiate and/or monitor your internal hosts, and
Right, because nobody has figured out Javascript and Cookies.
Having worked for comScore, I can tell you that having a fixed address
in the lower 64 bits would make their jobs oh so much easier. Cookies
and javascript are of very limited utility.
On the other hand, I could swear I've seen a draft where the PC picks
up random unused addresses in the lower 64 for each new outbound
connection for anonymity purposes. Even if there is no such draft, it
wouldn't exactly be hard to implement. It won't take NAT to anonymize
the PCs on a LAN with IPv6.
* multiple routes do not have to be announced or otherwise accommodated
by internal re-addressing.
I fail to see how NAT even affects this in a properly structured network.
That's your failure, not Roger's. As delivered, IPv6 is capable of
dynamically assigning addresses from multiple subnets to a PC, but
that's where the support for multiple-PA multihoming stops. PCs don't
do so well at using more than one of those addresses at a time for
outbound connections. As a number of vendors have done with IPv4, an
IPv6 NAT box at the network border can spread outbound connections
between multiply addressed upstream links.
http://www.ipinc.net/IPv4.GIF
The energy that people are willing to spend to fix it (NAT, LSN),
rather than bite the bullet is amazing.
A friend of mine drives a 1976 Cadillac El Dorado. I asked him why
once. He explained that even at 8 miles to the gallon and even after
having to find 1970's parts for it, he can't get anything close to as
luxurious a car from the more modern offerings at anything close to
the comparatively small amount of money he spends.
The thing has plush leather seats that feel like sinking in to a comfy
couch and an engine with more horsepower than my mustang gt. It isn't
hard to see his point.
On the other hand, I could swear I've seen a draft where the PC picks
up random unused addresses in the lower 64 for each new outbound
connection for anonymity purposes. Even if there is no such draft, it
wouldn't exactly be hard to implement. It won't take NAT to anonymize
the PCs on a LAN with IPv6.
the idea is covered by one or more patents held by cisco.
I think this is different. They're talking about using a new IPv6 for
each connection. RFC4941 just changes it over time IIRC. IMHO that's
still pretty good privacy, at least on par with a NATed IPv4 from the
outside perspective, especially if you rotated through temporary IPv6s
fairly frequently.
Of course, for browsers, as someone else mentioned, it's somewhat moot
because of cookies.
Hedy Lamarr (November 9, 1914 - January 19, 2000) was an Austrian-born American actress and engineer. Though known primarily for her film career as a major contract star of MGM's "Golden Age", she also co-invented an early form of spread spectrum communications technology, a key to modern wireless communication.[1]
I think he was actually quoting the movie. They always called Harvey
Korman's character "Hedy" and he'd always correct them with "That's
Hedley" in a most disapproving tone.
You had to have watched that movie way too many times (much to my
wife's chagrin) to catch the subtle joke.
