nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Netflix banning HE tunnels

From: Owen DeLong <owen () delong com>
Date: Sun, 12 Jun 2016 16:47:18 -0700


On Jun 9, 2016, at 19:57 , Ricky Beam <jfbeam () gmail com> wrote:

On Thu, 09 Jun 2016 21:41:05 -0400, Baldur Norddahl <baldur.norddahl () gmail com> wrote:


Then he reads on NANOG that since he has IPv6
he can just connect to the camera with that.

...

Only to find the built-in stateful firewall blocks unsolicited inbound connections. Now he has to figure out how to 
manipulate ACLs. Or (more likely) he turns that "pesky firewall" off. (followed by the eventual hacking of every 
device he owns.)

NAT may not be security, yet it's the only thing securing billions of people.


Nope… NAT Can’t be done without stateful inspection. You can stop mangling the packet headers and leave the stateful 
inspection in place and still have the same exact protection.

I realize most people have a hard time separating NAT from stateful inspection because most people got them both in the 
same package at the same time. Further, most boxes implement NAT and stateful inspection in the same chunk of code 
making it look even more like a single transaction.

However, conceptually they are two different things. Stateful inspection is what actually protects you.

NAT is simply the part where you mutilate the packet header in unnatural ways.

Owen
Previous By Date Next
Previous By Thread Next

Current thread: