nanog mailing list archives
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
From: Valdis.Kletnieks () vt edu
Date: Tue, 27 Apr 2010 14:47:26 -0400
On Tue, 27 Apr 2010 14:37:08 EDT, Jon Lewis said:
Maybe we want end-to-end to break. Firewalls can trivially be misconfigured such that they're little more than routers, fully exposing all the hosts behind them to everything bad the internet has to offer (hackers, malware looking to spread itself, etc.). At least with NAT, if someone really screws up the config, the "inside" stuff is all typically on non-publicly-routed IPs, so the worst likely to happen is they lose internet, but at least the internet can't directly reach them.
You *do* realize that the skill level needed to misconfigure a firewall into that state, and the skill level needed to do the exact same thing to a firewall-NAT box, are *both* less than the skill level needed to remember to also deploy traffic monitors so you know you screwed up, and host-based firewalls to guard against chuckleheads screwing up the border box? In other words, if your security scheme relies on that supposed feature of NAT, you have *other* things you need to be working on.
Attachment:
_bin
Description:
Current thread:
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?, (continued)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Mikael Abrahamsson (Apr 20)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Eliot Lear (Apr 20)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Mark Smith (Apr 20)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Jens Link (Apr 21)
- Re: the alleged evils of NAT, Joe Greco (Apr 21)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Andy Davidson (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Matthew Kaufman (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Nick Hilliard (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Valdis . Kletnieks (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Jon Lewis (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Valdis . Kletnieks (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Jon Lewis (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Valdis . Kletnieks (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Jon Lewis (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Owen DeLong (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Bill Stewart (Apr 29)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Mark Smith (Apr 30)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? James Hess (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Matthew Kaufman (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Adrian Chadd (Apr 27)
- Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Mark Andrews (Apr 27)