nanog mailing list archives
Re: Is NAT can provide some kind of protection?
From: Owen DeLong <owen () delong com>
Date: Sat, 15 Jan 2011 14:01:46 -0800
On Jan 15, 2011, at 1:16 PM, Brian Keefer wrote:
On Jan 12, 2011, at 9:21 AM, George Bonser wrote:I'd eat a hat if a vendor didn't implement a PAT equivalent. It's demanded too much. There is money for it, so it will be there. JackYeah, I think you are right. But in really thinking about it, I wonder why. The whole point of PAT was address conservation. You don't need that with v6. All you need to do with v6 is basically have what amounts to a firewall in transparent mode in the line and doesn't let a packet in (except where explicitly configure to) unless it is associated with a packet that went out. PAT makes little sense to me for v6, but I suspect you are correct. In addition, we are putting the "fire suit" on each host in addition to the firewall. Kernel firewall rules on each host for the *nix boxen.Actually there are a couple very compelling reasons why PAT will probably be implemented for IPv6: 1.) Allows you to redirect a privileged port (on UNIX) to a non-privileged port. For daemons that don't implement some form of privilege revoking after binding to a low port (and/or aren't allowed to run as root), this is very useful. It's much easier to have a firewall redirect than to implement robust privilege revoking. Example: PAT 25/tcp -> 2525/tcp.
Actually, that's just port rewriting which is mostly harmless. PAT refers, instead, to a stateful translation which is most definitely not harmless.
2.) Allows you to redirect multiple ports to a single one, to support legacy implementations. Suppose your application used to require separate ports for different types of requests, but now is able to multiplex them. The new daemon only listens on one port, but other applications may not have updated their configuration. Example: PAT 4443/tcp -> 443/tcp & PAT 8443/tcp -> 443/tcp.
That's a pretty ugly situation, but, it would require a stateful mechanism to address it. I think it is much cleaner to have the daemon listen on the multiple ports.
Basically the idea is that implementing PAT for IPv6 allows smoother transition for apps that made use of it in IPv4, thus accelerating the adoption of IPv6.
I think the lack of IPv4 resources will soon serve as sufficient acceleration of IPv6 adoption. Owen
Current thread:
- RE: Is NAT can provide some kind of protection?, (continued)
- RE: Is NAT can provide some kind of protection? George Bonser (Jan 12)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)
- RE: Is NAT can provide some kind of protection? George Bonser (Jan 12)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)
- Re: Is NAT can provide some kind of protection? Steven Kurylo (Jan 12)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 12)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)
- Re: Is NAT can provide some kind of protection? Brian Keefer (Jan 15)
- Re: Is NAT can provide some kind of protection? William Herrin (Jan 15)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 15)
- Re: Is NAT can provide some kind of protection? Brandon Ross (Jan 15)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 15)
- Re: Is NAT can provide some kind of protection? Brandon Ross (Jan 15)
- Re: Is NAT can provide some kind of protection? Douglas Otis (Jan 15)
- Re: Is NAT can provide some kind of protection? Matthew Palmer (Jan 15)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 15)
- Re: Is NAT can provide some kind of protection? Mark Smith (Jan 15)
- Re: Is NAT can provide some kind of protection? Brandon Ross (Jan 15)
- Re: Is NAT can provide some kind of protection? Mark Smith (Jan 15)
- RE: Is NAT can provide some kind of protection? Frank Bulk (Jan 15)