Re: Security gain from NAT

[Matthew Kaufman <matthew () eeph com>]

Leigh Porter wrote:
> Additionally, NATing services on separate machines behind a single NATed 
> address anonymises the services behind a single address.

Agreed. It can be very useful to not expose the internal topology 
through address assignment so as to not expose which 
subnets/desktops/users are accessing certain foreign addresses.

This is an even bigger issue in v6 if your stack exposes the MAC address 
in its choice of stateless autoconfiguration address, as this then gives 
away not just your internal topology but the vendor of the machines (or 
at least the ethernet card maker). One can easily imagine attacks based 
on knowing that a vulnerable and hard-to-upgrade embedded system (an 
Internet-fax machine, say) was on a particular subnet.

Matthew Kaufman
matthew () eeph com