nanog mailing list archives
Re: IPv6 NAT
From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Fri, 31 Oct 2003 11:43:40 -0500
-- On Friday, October 31, 2003 08:03 -0800 -- Owen DeLong <owen () delong com> supposedly wrote:
There is NO security benefit to NAT/PAT/NAPT.
Disagree.None of the scanning / infecting viruses could get past a $50 NAT/PAT device which Joe User brings home and turns on without configuring.
Do not talk about "if they statically NAT...". Punching holes in stateful firewalls will cause just as much damage.
There is a security benefit to stateful inspection.
Agreed. And I doubt anyone on this list would say differently.
NAT is harmful to many protocols. Stateful inspection is not.
Possibly. But Joe User will never use those "many protocols". Plus the overwhelming majority of protocols are not harmed by NAT.
I would bet a statistically insignificant number of packets on the Internet (many places to the right of the decimal) are part of those protocols.
This does not mean we should NAT everything, since I use some of those protocols. But if every Joe User had a DLink NAT box in front of his Winbloze box, the Internet would be a safer place. And you know it.
-- TTFN, patrick
Current thread:
- Re: IPv6 NAT Michael . Dillon (Oct 30)
- Re: IPv6 NAT Owen DeLong (Oct 30)
- Re: IPv6 NAT Stephen Sprunk (Oct 30)
- Re: IPv6 NAT Scott McGrath (Oct 31)
- RE: IPv6 NAT Tony Hain (Oct 31)
- Re: IPv6 NAT Scott McGrath (Oct 31)
- <Possible follow-ups>
- RE: IPv6 NAT Kuhtz, Christian (Oct 30)
- RE: IPv6 NAT Tony Hain (Oct 30)
- Re: IPv6 NAT Stephen Sprunk (Oct 31)
- Re: IPv6 NAT Owen DeLong (Oct 31)
- Re: IPv6 NAT Patrick W. Gilmore (Oct 31)
- Re: IPv6 NAT Joe Abley (Oct 31)
- Re: IPv6 NAT Eliot Lear (Oct 31)
- Re: IPv6 NAT Owen DeLong (Oct 31)
- Re: IPv6 NAT Paul Timmins (Oct 31)
- RE: IPv6 NAT Tony Hain (Oct 30)