[111536] in North American Network Operators' Group
Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space
daemon@ATHENA.MIT.EDU (Stephen Sprunk)
Fri Feb 6 21:21:02 2009
Date: Fri, 06 Feb 2009 20:20:40 -0600
From: Stephen Sprunk <stephen@sprunk.org>
To: Roger Marquis <marquis@roble.com>
In-Reply-To: <20090205043908.1BAA82B21F4@mx5.roble.com>
Cc: north American Noise and Off-topic Gripes <nanog@merit.edu>
Errors-To: nanog-bounces@nanog.org
This is a cryptographically signed message in MIME format.
--------------ms080801080606060302010709
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Roger Marquis wrote:
> Seth Mattinen wrote:
>> Far too many people see NAT as synonymous with a firewall so they
>> think if you take away their NAT you're taking away the security of a
>> firewall.
>
> NAT provides some security, often enough to make a firewall
> unnecessary. It all depends on what's inside the edge device. But
> really, I've never heard anyone seriously equate a simple NAT device
> with a firewall.
You must be very sheltered. Most end users, even "security" folks at
major corporations, think a NAT box is a firewall and disabling NAT is
inherently less secure. Part of that is factual: NAT (er, dynamic PAT)
devices are inherently fail-closed because of their design, while a
firewall might fail open. Also, NAT prevents some information leakage
by hiding the internal details of the site's network, and many folks
place a high value on "security" through obscurity. This is
understandable, since the real threats -- uneducated users and flawed
software -- are ones they have no power to fix.
S
--
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking
--------------ms080801080606060302010709
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJBzCC
At4wggJHoAMCAQICEFkNnc5PR4SyuzPK7tBOkNAwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MTExMDE5MDk1MFoX
DTA5MTExMDE5MDk1MFowRDEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEhMB8G
CSqGSIb3DQEJARYSc3RlcGhlbkBzcHJ1bmsub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAu1acv8o2sG+Npj/JMg2NI90BBfw4+qtHaanVWrnApTfaqH3Z6W1FUY5JNO+d
XSgYe8V54kPuUK1w9uiqKCgBrQy87lXfJ2elbXjN+KPGAKmbrxCFCfEwHFll1nFlgER9MHJJ
AT8L7r7h+uRxABjvyrOMCXkgG4RiNaFPiyvH4Rqb9R0NxcawaKCzMh11Q+uRgyv1Or8ajYuD
R+9Jm6VNxKFwY+e0JjAUzD28viKJcafK60UFdIRyGKrHYM0K44kKcsmiQV7nsGo4mM7QVsV5
PyKD8Ea5BV/6orxKviKwq4yff+rr++zQxHlQa8tzMnrPQSl9f2C9tbQ/GGnodjaExQIDAQAB
oy8wLTAdBgNVHREEFjAUgRJzdGVwaGVuQHNwcnVuay5vcmcwDAYDVR0TAQH/BAIwADANBgkq
hkiG9w0BAQUFAAOBgQAqaXuxwkf+k8FyHecPNHdLCViVnza6NoBi+8LP+u8Io1BZDn5oa8Gf
20DXN2sHQRRqCIsFNCBDG86T/zWzb7UYcToxCONu0IEA8UfP4y9Qdp2/IU68T0tfzwddEIhb
jQMoEGKaS9NDFRyJR8RyU4EUgjIJOe8iOCt47TvhqCo4oDCCAt4wggJHoAMCAQICEFkNnc5P
R4SyuzPK7tBOkNAwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRo
YXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBG
cmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MTExMDE5MDk1MFoXDTA5MTExMDE5MDk1MFowRDEf
MB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEhMB8GCSqGSIb3DQEJARYSc3RlcGhl
bkBzcHJ1bmsub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1acv8o2sG+N
pj/JMg2NI90BBfw4+qtHaanVWrnApTfaqH3Z6W1FUY5JNO+dXSgYe8V54kPuUK1w9uiqKCgB
rQy87lXfJ2elbXjN+KPGAKmbrxCFCfEwHFll1nFlgER9MHJJAT8L7r7h+uRxABjvyrOMCXkg
G4RiNaFPiyvH4Rqb9R0NxcawaKCzMh11Q+uRgyv1Or8ajYuDR+9Jm6VNxKFwY+e0JjAUzD28
viKJcafK60UFdIRyGKrHYM0K44kKcsmiQV7nsGo4mM7QVsV5PyKD8Ea5BV/6orxKviKwq4yf
f+rr++zQxHlQa8tzMnrPQSl9f2C9tbQ/GGnodjaExQIDAQABoy8wLTAdBgNVHREEFjAUgRJz
dGVwaGVuQHNwcnVuay5vcmcwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQAqaXux
wkf+k8FyHecPNHdLCViVnza6NoBi+8LP+u8Io1BZDn5oa8Gf20DXN2sHQRRqCIsFNCBDG86T
/zWzb7UYcToxCONu0IEA8UfP4y9Qdp2/IU68T0tfzwddEIhbjQMoEGKaS9NDFRyJR8RyU4EU
gjIJOe8iOCt47TvhqCo4oDCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJ
BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEa
MBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vy
dmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTEr
MCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcw
MDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUg
Q29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1h
aWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065ypla
HmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FW
y688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEE
QB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2
oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3Js
MAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0x
MzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYf
qi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9l
X5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggNkMIIDYAIBATB2
MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQu
MSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQWQ2dzk9H
hLK7M8ru0E6Q0DAJBgUrDgMCGgUAoIIBwzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG
CSqGSIb3DQEJBTEPFw0wOTAyMDcwMjIwNDBaMCMGCSqGSIb3DQEJBDEWBBTtK1510teMxb+r
8uq+dTbXBQ7c9jBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIA
gDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYBBAGCNxAE
MXgwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEFkN
nc5PR4SyuzPK7tBOkNAwgYcGCyqGSIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJaQTElMCMG
A1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBl
cnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEFkNnc5PR4SyuzPK7tBOkNAwDQYJKoZIhvcN
AQEBBQAEggEAuSB+nQ4oPcV/p5KbvDCysBTj6bLizql6DOMEAqnipd8l9cT1IH9XLOeL6x1G
94luhj59S0f3JdIT+qMIitM3p8x+9Q9iszU0HDuN1bY8yO3sav9QZwNumQN8o91S4F4T8WPW
Yxa3vVNrvv2zV8Nul832SuFFr5QWp+CfYFI0Fbi/9XFQWK6tzQaa8eVRPRcCz9d9dFKu7pGo
kUFEKD7WKOneooPbfK6q07BAuk7pgyHY4HT3CMGdKmrL40uk7WDBDsZKcUFo7Z3w7XIu/v9Q
nxGbCESCw3pZoawxBYL1205Vy0tDCp/78W0FV2UFZOCqHcIw86PINYC641jsmrIPJQAAAAAA
AA==
--------------ms080801080606060302010709--
