Operational challenges of no NAT

Mark Blackman mark at exonetric.com
Thu Oct 28 12:06:44 CEST 2010


Ben Jencks wrote:
>
> Wouldn't crypto, either HMAC or signatures, be a better assurance of
> authorization? Sure, they can whitelist your /64, but that just serves
> to keep the riff-raff out; the signature provides the actual identity
> information.
>
> For callbacks, they should be done with DNS names. That way you're
> v4/v6 agnostic at the application layer, and you can renumber your
> callback receiver at will.
>
> I'm aware that in dealing with big providers they can have a pretty
> hard-to-budge idea of how to do things. But if you're asking for the
> "IPv6 way", I think crypto and DNS are the way to go.

Is there some documented list of the usual requirements that NAT is used 
to satisfy and the corresponding IPv6 method to satisfy that requirement?

Lots of IT managers really like NAT for managing the interface between
their network and the big bad world outside.

I hadn't even considered the case the original poster brought up, myself.

- Mark

Exonetric



More information about the ipv6-ops mailing list