nanog mailing list archives
RE: Arguing against using public IP space
From: "Chuck Church" <chuckchurch () gmail com>
Date: Sun, 13 Nov 2011 17:43:46 -0500
When you all say NAT, are you implying PAT as well? 1 to 1 NAT really provides no security. But with PAT, different story. Are there poor implementations of PAT that don't enforce an exact port/address match for the translation table? If the translation table isn't at fault, are the 'helpers' that allow ftp to work passively to blame? Chuck -----Original Message----- From: Doug Barton [mailto:dougb () dougbarton us] Sent: Sunday, November 13, 2011 4:49 PM To: Phil Regnauld Cc: nanog () nanog org Subject: Re: Arguing against using public IP space On 11/13/2011 13:27, Phil Regnauld wrote:
That's not exactly correct. NAT doesn't imply firewalling/filtering. To illustrate this to customers, I've mounted attacks/scans on hosts behind NAT devices, from the interconnect network immediately outside: if you can point a route with the ext ip of the NAT device as the next hop, it usually just forwards the packets...
Have you written this up anywhere? It would be absolutely awesome to be able to point the "NAT IS A SECURITY FEATURE!!!" crowd to an actual demonstration of why it isn't. Doug -- "We could put the whole Internet into a book." "Too practical." Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/
Current thread:
- Arguing against using public IP space Jason Lewis (Nov 13)
- Re: Arguing against using public IP space Robert Bonomi (Nov 13)
- Re: Arguing against using public IP space Jimmy Hess (Nov 13)
- Re: Arguing against using public IP space David Walker (Nov 13)
- Re: Arguing against using public IP space Jimmy Hess (Nov 13)
- Re: Arguing against using public IP space Jimmy Hess (Nov 13)
- Re: Arguing against using public IP space William Herrin (Nov 13)
- Re: Arguing against using public IP space Phil Regnauld (Nov 13)
- Re: Arguing against using public IP space Doug Barton (Nov 13)
- RE: Arguing against using public IP space Chuck Church (Nov 13)
- Re: Arguing against using public IP space Phil Regnauld (Nov 13)
- RE: Arguing against using public IP space Chuck Church (Nov 13)
- RE: Arguing against using public IP space McCall, Gabriel (Nov 14)
- Re: Arguing against using public IP space William Herrin (Nov 14)
- Re: Arguing against using public IP space Owen DeLong (Nov 15)
- Re: Arguing against using public IP space Leigh Porter (Nov 15)
- Re: Arguing against using public IP space Valdis . Kletnieks (Nov 15)
- RE: Arguing against using public IP space Chuck Church (Nov 15)
- Re: Arguing against using public IP space Leigh Porter (Nov 15)
- Re: Arguing against using public IP space Valdis . Kletnieks (Nov 15)
- Re: Arguing against using public IP space Robert Bonomi (Nov 13)