nanog mailing list archives
Re: RFC1918 addresses to permit in for VPN?
From: Mark Mentovai <mark-list () mentovai com>
Date: Sun, 31 Dec 2000 17:45:27 -0500 (EST)
Randy Bush wrote:
yes, but the sub-discussion is quite bogus. lsr is not required to get through a nat. the nat presents an outer address that maps directly to the inner address. attack the outer address directly and you have attacked the inner address. life is simple.
Your points are valid, but when did we begin discussing NATs in this thread? I thought that this was another discussion about using RFC 1918 address space on publicly visible interfaces. A router with all of its interfaces numbered using RFC 1918 space, and no tricks like source routing to get in the way, will not be directly reachable from the global Internet. That saves it from one class of attacks, but still leaves it open to others. The most common excuse I've seen for using RFC 1918 space on public interfaces is "I wanted to conserve address space." Silly. People are afraid, without reason, of ARIN and the other RIRs, and take conservation to such an extreme that the network becomes ugly at best and unusable at worst.
that's all a nat does, translate addresses. again, changing your car's license plates does not make it less vulnerable to accidents.
This isn't a great analogy though, because a whole class of attacks on the Internet rely on the ability to reach the target directly, and reachability is influenced by addressing. On the road, an accident can occur between any two vehicles, license plates or IPv4 addresses or not.
people commonly confuse nats with packet filters, stateful filters, algs, etc. of course the readers of this list would not be so easily confused.
People think of security when they think of NAT because it's usually implemented in such a way that a small amount of additional security is provided to the devices that sit behind the translator. Obviously (to the readers here,) there are other ways to achieve the same level of filtering without the translation. Mark
Current thread:
- RE: RFC1918 addresses to permit in for VPN?, (continued)
- RE: RFC1918 addresses to permit in for VPN? John Fraizer (Dec 29)
- Re: RFC1918 addresses to permit in for VPN? Geoffrey Zinderdine (Dec 29)
- Re: RFC1918 addresses to permit in for VPN? Bill Fumerola (Dec 30)
- RE: RFC1918 addresses to permit in for VPN? Randy Bush (Dec 31)
- RE: RFC1918 addresses to permit in for VPN? Derek J. Balling (Dec 31)
- RE: RFC1918 addresses to permit in for VPN? Randy Bush (Dec 31)
- Re: RFC1918 addresses to permit in for VPN? Stephen Stuart (Dec 31)
- Re: RFC1918 addresses to permit in for VPN? John Fraizer (Dec 31)
- Re: RFC1918 addresses to permit in for VPN? Bill Woodcock (Dec 31)
- Re: RFC1918 addresses to permit in for VPN? Randy Bush (Dec 31)
- Re: RFC1918 addresses to permit in for VPN? Mark Mentovai (Dec 31)
- Re: RFC1918 addresses to permit in for VPN? Randy Bush (Dec 31)
- Re: RFC1918 addresses to permit in for VPN? Andrew Brown (Dec 31)
- Re: RFC1918 addresses to permit in for VPN? John Hawkinson (Dec 31)
- Re: RFC1918 addresses to permit in for VPN? Dana Hudes (Dec 31)
- Re: RFC1918 addresses to permit in for VPN? Stephen Stuart (Dec 31)
- Re: RFC1918 addresses to permit in for VPN? Andrew Brown (Dec 31)
- Re: RFC1918 addresses to permit in for VPN? Stephen Stuart (Dec 31)
- RE: RFC1918 addresses to permit in for VPN? Jason Lewis (Dec 31)
- Re: RFC1918 addresses to permit in for VPN? Stephen Stuart (Dec 31)
- RE: RFC1918 addresses to permit in for VPN? Bill Woodcock (Dec 31)