nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Failure modes: NAT vs SPI

From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Thu, 3 Feb 2011 20:47:48 +0100
On 3 feb 2011, at 20:09, Jay Ashworth wrote:


That's the expansion of "fails safe".


You conviently overlook my earlier message about this.

But sure, let's assume that at some point, some packets from the outside manage to pass through to the inside in the 
IPv6 case. So how does anyone know where to send these packets in the first place? And if they do, what bad effects 
exactly do packets coming from the outside have? Ping of death has been fixed a loooong time ago.

And you assume that NATs block packets very well. They don't. First of all, there's uPNP IGD and NAT-PMP. Depending on 
the type of NAT, the bindings are quite loose and allow lots of additional packets that don't belong to the NATed 
sessions in. After all, NATs only break incoming sessions by accident. Firewalls do this on purpose, so they do a much 
better job.

If you really want to be safe, you should completely disconnect your network. Or at the very least not run any code, 
such as javascript and java, that comes in over the network. This is one of the biggest sources of real-world 
infections. Incoming packets haven't been since about the slammer worm era.
Previous By Date Next
Previous By Thread Next

Current thread: