RE: RFC1918 addresses to permit in for VPN?

[Richard Welty <rwelty () vpnet com>]

> So the picture that emerges is that Randy is very definitely
> speaking of NAT as Bi-directional or Two-Way NAT (in the terminology
> of RFC 2663), where no address conservation is practiced, and
> machines with private addresses are directly reachable via public
> addresses, through a fixed incoming mapping applied by the NAT
> device.

umm, fixed is not a requirement here. you can go two way through
addresses
allocated out of a pool easily enough. yes, the hacker won't have
control
over what is in the pool that he is trying to hack into, and the
externally
visible addresses of systems may change, but as long as the NAT is being
done
and is two way, there are things which are subject to attack.

the combination of RFC 1918 space and NAT is a sorry excuse for
security.
you need some sort of packet filtering or access control on the path,
possibly
in the box doing the NAT, possibly in some other box, but you _must_
have it.

if a network is completely isolated from the public internet, then the
RFC1918
issue is irrelevant, as the network is inaccessible regardless of what
network
addresses are being used.

richard