nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Netflix banning HE tunnels

From: "Ricky Beam" <jfbeam () gmail com>
Date: Tue, 14 Jun 2016 14:57:40 -0400
On Sun, 12 Jun 2016 19:47:18 -0400, Owen DeLong <owen () delong com> wrote:
NAT may not be security, yet it's the only thing securing billions of people. 

Nope… NAT Can’t be done without stateful inspection.


Negative.
- 1:1 NAT (inside address A == outside address B) requires no state of any kind. 
- Connection Tracking is not stateful inspection
- NAT Helpers / ALG / etc. (things that look for embedded addresses) aren't "stateful inspection"
The only "security" one gets from NAT comes from the lack of outside visibility through the NAT. An outside host cannot initiate a connection to any specific inside host of their choosing.
I've seen many "IPv6 Capable" CPEs that apply ZERO security to IPv6 traffic. IPv4 goes through NAT, so one gets the pseudo-security of not being directly touchable from the internet.
Previous By Date Next
Previous By Thread Next

Current thread: