nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Arguing against using public IP space

From: Jay Ashworth <jra () baylink com>
Date: Sun, 13 Nov 2011 18:36:31 -0500 (EST)
---- Original Message -----

From: "Doug Barton" <dougb () dougbarton us>



On 11/13/2011 13:27, Phil Regnauld wrote:

    That's not exactly correct. NAT doesn't imply
    firewalling/filtering.
    To illustrate this to customers, I've mounted attacks/scans on
    hosts behind NAT devices, from the interconnect network immediately
    outside: if you can point a route with the ext ip of the NAT device
    as the next hop, it usually just forwards the packets...


Have you written this up anywhere? It would be absolutely awesome to
be able to point the "NAT IS A SECURITY FEATURE!!!" crowd to an actual
demonstration of why it isn't.


Accepting strict source routing from a public interface is certainly in the
top 10 Worst Common Practices, is it not?  (IE: I would be surprised if *any*
current router actually let you do that.)

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra () baylink com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA      http://photo.imageinc.us             +1 727 647 1274
Previous By Date Next
Previous By Thread Next

Current thread: