nanog mailing list archives
Re: Is NAT can provide some kind of protection?
From: Lamar Owen <lowen () pari edu>
Date: Thu, 13 Jan 2011 14:28:15 -0500
On Wednesday, January 12, 2011 12:01:27 pm George Bonser wrote:
With v4 PAT, you can not be sure which address/port on the external IP maps to which address/port on the inside IP at any given moment and PAT is stateful in that an outbound packet is required to start the mapping.
On Cisco at least you can set up static PAT rules and have multiple internal hosts on a single external IP address with static NATting. I've done this in the past, where a webcam application we were using absolutely insisted on binding port 80, and on another host the control application we were using also absolutely insisted on binding port 80, but, for several purposes, we wanted a single external address, so I set up an extendable NAT rule for port 80 on the external IP address to map to the webcam box's port 80, and port 8080 on the external IP address to map to the control application's port 80. Worked fine. But that wasn't for security, unless you consider that hiding the unused ports on those two machines is security. Since then we've found that a lot of firewalls blocked the connection to port 8080, and we had to have the developer restructure the app to handle being on two IP addresses, which was nontrivial thanks to cross-site-scripting blockers. Even my old Linksys WRT54G has 'port forwarding' rules that do static PAT.
NAT66 is just straight static NAT that maps one prefix to a different prefix.
I'm sure that PAT is on the horizon, simply for plumbing purposes to connect the gozinta to the gozouta where wierd application requirements are found (having two applications and javascripts on a single page that access two different backend servers gets blocked by some cross-site scripting 'protections' and thus having the second connection muxed onto the same address can alleviate this). Also, round-robin stateful PAT can be thought of as poor-man's load balancing, and has been used in that use case. And there is the straight NAT non-BGP multihoming use case. But that's also not for security, but for availability. If you wanted IPv6 PAT *now* you could contribute to the MAP66 project and write your own PAT66 (map66.sourceforge.net). But it will be provided by someone; since when have technical issues alone ever kept a feature from being implemented?
Current thread:
- Re: Is NAT can provide some kind of protection?, (continued)
- Re: Is NAT can provide some kind of protection? Mark Smith (Jan 15)
- RE: Is NAT can provide some kind of protection? Frank Bulk (Jan 15)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 15)
- Re: Is NAT can provide some kind of protection? Mark Smith (Jan 15)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 15)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 15)
- Re: Is NAT can provide some kind of protection? Jim Gettys (Jan 15)
- Re: Is NAT can provide some kind of protection? Mark Smith (Jan 16)
- Re: Is NAT can provide some kind of protection? Jim Gettys (Jan 16)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 12)
- Re: Is NAT can provide some kind of protection? Lamar Owen (Jan 13)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 12)
- Re: Is NAT can provide some kind of protection? Dave Pooser (Jan 12)
- Re: Is NAT can provide some kind of protection? Valdis . Kletnieks (Jan 12)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)
- RE: Is NAT can provide some kind of protection? Nathan Eisenberg (Jan 12)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)