nanog mailing list archives

Re: mh (RE: OMB: IPv6 by June 2008)

From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Thu, 07 Jul 2005 16:10:28 -0400


In message <20050707195433.3B5EC1862 () testbed9 merit edu>, "Tony Hain" writes:


Mangling the header did not prevent the worms, lack of state did that. A
stateful filter that doesn't need to mangle the packet header is frequently
called a firewall (yes some firewalls still do, but that is by choice).


Absolutely correct.  Real firewalls pass inbound traffic because a 
state table entry exists.  NATs do the same thing, with nasty 
side-effects.  There is no added security from the header-mangling.

                --Steven M. Bellovin, http://www.cs.columbia.edu/~smb

Current thread:

Re: mh (RE: OMB: IPv6 by June 2008), (continued)
- - - Message not available
    - Re: mh (RE: OMB: IPv6 by June 2008) Jay R. Ashworth (Jul 08)
    - Re: mh (RE: OMB: IPv6 by June 2008) Crist Clark (Jul 08)
    - Re: mh (RE: OMB: IPv6 by June 2008) Fred Baker (Jul 08)
    - Re: mh (RE: OMB: IPv6 by June 2008) Iljitsch van Beijnum (Jul 08)
    - Re: mh (RE: OMB: IPv6 by June 2008) Crist Clark (Jul 08)
    - Re: mh (RE: OMB: IPv6 by June 2008) Sean Doran (Jul 08)
    - Re: mh (RE: OMB: IPv6 by June 2008) Sean Doran (Jul 08)
    - Re: mh (RE: OMB: IPv6 by June 2008) David Andersen (Jul 07)
    - Re: mh (RE: OMB: IPv6 by June 2008) Daniel Senie (Jul 09)
    - RE: mh (RE: OMB: IPv6 by June 2008) Tony Hain (Jul 07)
    - Re: mh (RE: OMB: IPv6 by June 2008) Steven M. Bellovin (Jul 07)
    - Re: mh (RE: OMB: IPv6 by June 2008) Sean Doran (Jul 08)
    - Re: mh (RE: OMB: IPv6 by June 2008) Joseph S D Yao (Jul 08)
  - Re: mh (RE: OMB: IPv6 by June 2008) Dave Crocker (Jul 07)